matrix | 9a58fcb6bf71775f7a5f833ea3780cdb67c421def1ff1851adc2061d366e0fdc

Analysis

max time kernel
60s
max time network
114s
platform
windows7_x64
resource
win7v20210408
submitted
29/05/2021, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NWDEiUim.exe
Size

707KB
MD5

a547e8aca98f3566ebd0f48ef2137d71
SHA1

24716beac8d9f8a46331bbe7c1286e727ad4b1be
SHA256

9a58fcb6bf71775f7a5f833ea3780cdb67c421def1ff1851adc2061d366e0fdc
SHA512

bcb590393d88d1481843f03e76f9fdaed30c940493ce854d06c7b67408846be5fa695b8bea6d41d984369ef6a6ee3180ba6fba4cb430587e0f00e61efbac56bf

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7w2cnti.default-release\startupCache\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\management\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\security\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\Favorites\Links for United States\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\zi\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Google\Chrome\Application\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Mozilla Firefox\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\fonts\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe
File created	C:\Program Files\Mozilla Firefox\browser\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\Documents\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#MMTA_README#.rtf	NWDEiUim.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1828	bcdedit.exe
1700	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	aDTvGCQK64.exe

Executes dropped EXE 64 IoCs

pid	Process
1492	NWDb3u0Q.exe
1960	aDTvGCQK.exe
2016	aDTvGCQK64.exe
2040	aDTvGCQK.exe
1716	aDTvGCQK.exe
1348	aDTvGCQK.exe
1768	aDTvGCQK.exe
1376	aDTvGCQK.exe
828	aDTvGCQK.exe
1888	aDTvGCQK.exe
1300	aDTvGCQK.exe
1052	aDTvGCQK.exe
1852	aDTvGCQK.exe
960	aDTvGCQK.exe
2040	aDTvGCQK.exe
828	aDTvGCQK.exe
1852	aDTvGCQK.exe
1592	aDTvGCQK.exe
1052	aDTvGCQK.exe
1772	aDTvGCQK.exe
1508	aDTvGCQK.exe
1648	aDTvGCQK.exe
1852	aDTvGCQK.exe
1904	aDTvGCQK.exe
1052	aDTvGCQK.exe
1820	aDTvGCQK.exe
960	aDTvGCQK.exe
1368	aDTvGCQK.exe
568	aDTvGCQK.exe
1396	aDTvGCQK.exe
668	aDTvGCQK.exe
1904	aDTvGCQK.exe
828	aDTvGCQK.exe
668	aDTvGCQK.exe
1820	aDTvGCQK.exe
828	aDTvGCQK.exe
792	aDTvGCQK.exe
1820	aDTvGCQK.exe
1716	aDTvGCQK.exe
792	aDTvGCQK.exe
1804	aDTvGCQK.exe
1716	aDTvGCQK.exe
1512	aDTvGCQK.exe
1904	aDTvGCQK.exe
1384	aDTvGCQK.exe
1876	aDTvGCQK.exe
1828	aDTvGCQK.exe
236	aDTvGCQK.exe
2028	aDTvGCQK.exe
348	aDTvGCQK.exe
1700	aDTvGCQK.exe
1820	aDTvGCQK.exe
212	aDTvGCQK.exe
1300	aDTvGCQK.exe
864	aDTvGCQK.exe
860	aDTvGCQK.exe
1700	aDTvGCQK.exe
960	aDTvGCQK.exe
1508	aDTvGCQK.exe
1384	aDTvGCQK.exe
1772	aDTvGCQK.exe
624	aDTvGCQK.exe
348	aDTvGCQK.exe
1820	aDTvGCQK.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00040000000130d3-61.dat	upx
behavioral1/files/0x00040000000130d3-62.dat	upx
behavioral1/files/0x00040000000130d3-63.dat	upx
behavioral1/files/0x00040000000130d3-65.dat	upx
behavioral1/files/0x00030000000130dc-81.dat	upx
behavioral1/files/0x00030000000130dc-80.dat	upx
behavioral1/files/0x00030000000130dc-83.dat	upx
behavioral1/files/0x00030000000130dc-97.dat	upx
behavioral1/files/0x00030000000130dc-99.dat	upx
behavioral1/files/0x00030000000130dc-101.dat	upx
behavioral1/files/0x00030000000130dc-103.dat	upx
behavioral1/files/0x00030000000130dc-109.dat	upx
behavioral1/files/0x00030000000130dc-111.dat	upx
behavioral1/files/0x00030000000130dc-113.dat	upx
behavioral1/files/0x00030000000130dc-115.dat	upx
behavioral1/files/0x00030000000130dc-121.dat	upx
behavioral1/files/0x00030000000130dc-123.dat	upx
behavioral1/files/0x00030000000130dc-125.dat	upx
behavioral1/files/0x00030000000130dc-127.dat	upx
behavioral1/files/0x00030000000130dc-135.dat	upx
behavioral1/files/0x00030000000130dc-137.dat	upx
behavioral1/files/0x00030000000130dc-139.dat	upx
behavioral1/files/0x00030000000130dc-141.dat	upx
behavioral1/files/0x00030000000130dc-147.dat	upx
behavioral1/files/0x00030000000130dc-149.dat	upx
behavioral1/files/0x00030000000130dc-151.dat	upx
behavioral1/files/0x00030000000130dc-153.dat	upx
behavioral1/files/0x00030000000130dc-159.dat	upx
behavioral1/files/0x00030000000130dc-161.dat	upx
behavioral1/files/0x00030000000130dc-163.dat	upx
behavioral1/files/0x00030000000130dc-165.dat	upx
behavioral1/files/0x00030000000130dc-171.dat	upx
behavioral1/files/0x00030000000130dc-173.dat	upx
behavioral1/files/0x00030000000130dc-175.dat	upx
behavioral1/files/0x00030000000130dc-177.dat	upx
behavioral1/files/0x00030000000130dc-181.dat	upx
behavioral1/files/0x00030000000130dc-182.dat	upx
behavioral1/files/0x00030000000130dc-184.dat	upx
behavioral1/files/0x00030000000130dc-185.dat	upx
behavioral1/files/0x00030000000130dc-187.dat	upx
behavioral1/files/0x00030000000130dc-188.dat	upx
behavioral1/files/0x00030000000130dc-190.dat	upx
behavioral1/files/0x00030000000130dc-191.dat	upx
behavioral1/files/0x00030000000130dc-193.dat	upx
behavioral1/files/0x00030000000130dc-194.dat	upx
behavioral1/files/0x00030000000130dc-196.dat	upx
behavioral1/files/0x00030000000130dc-197.dat	upx
behavioral1/files/0x00030000000130dc-199.dat	upx
behavioral1/files/0x00030000000130dc-200.dat	upx
behavioral1/files/0x00030000000130dc-202.dat	upx
behavioral1/files/0x00030000000130dc-203.dat	upx
behavioral1/files/0x00030000000130dc-205.dat	upx
behavioral1/files/0x00030000000130dc-206.dat	upx
behavioral1/files/0x00030000000130dc-208.dat	upx
behavioral1/files/0x00030000000130dc-209.dat	upx
behavioral1/files/0x00030000000130dc-211.dat	upx
behavioral1/files/0x00030000000130dc-212.dat	upx
behavioral1/files/0x00030000000130dc-214.dat	upx
behavioral1/files/0x00030000000130dc-215.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1992	NWDEiUim.exe
1992	NWDEiUim.exe
1684	cmd.exe
1960	aDTvGCQK.exe
1048	cmd.exe
992	cmd.exe
516	cmd.exe
1828	cmd.exe
1860	cmd.exe
1396	cmd.exe
348	cmd.exe
1620	cmd.exe
1140	cmd.exe
916	cmd.exe
1440	cmd.exe
424	cmd.exe
1384	cmd.exe
912	cmd.exe
1552	cmd.exe
1768	cmd.exe
1348	cmd.exe
828	cmd.exe
348	cmd.exe
1536	cmd.exe
1396	cmd.exe
1300	cmd.exe
1868	cmd.exe
1768	cmd.exe
1300	cmd.exe
1384	cmd.exe
1700	cmd.exe
908	cmd.exe
592	cmd.exe
1052	cmd.exe
1828	cmd.exe
936	cmd.exe
484	cmd.exe
1772	cmd.exe
908	cmd.exe
1876	cmd.exe
1052	cmd.exe
864	cmd.exe
1348	cmd.exe
668	cmd.exe
1368	cmd.exe
860	cmd.exe
1768	cmd.exe
1820	cmd.exe
228	cmd.exe
668	cmd.exe
860	cmd.exe
1852	cmd.exe
908	cmd.exe
1348	cmd.exe
668	cmd.exe
220	cmd.exe
1620	cmd.exe
828	cmd.exe
1672	cmd.exe
1852	cmd.exe
912	cmd.exe
208	cmd.exe
1716	cmd.exe
1360	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1552	Process not Found
1648	takeown.exe
2036	takeown.exe
1700	takeown.exe
1768	Process not Found
656	takeown.exe
1700	Process not Found
1852	Process not Found
592	takeown.exe
572	takeown.exe
1852	takeown.exe
1724	takeown.exe
2036	takeown.exe
1768	takeown.exe
1048	takeown.exe
1052	takeown.exe
572	takeown.exe
1392	takeown.exe
220	takeown.exe
996	takeown.exe
1348	takeown.exe
1804	takeown.exe
1904	takeown.exe
1536	takeown.exe
1552	takeown.exe
1492	takeown.exe
1760	takeown.exe
436	takeown.exe
1532	takeown.exe
656	takeown.exe
208	takeown.exe
592	takeown.exe
296	takeown.exe
1016	takeown.exe
1532	Process not Found
1876	takeown.exe
1700	takeown.exe
1132	takeown.exe
1108	takeown.exe
960	takeown.exe
1836	takeown.exe
484	takeown.exe
212	takeown.exe
860	takeown.exe
1768	takeown.exe
1904	takeown.exe
216	takeown.exe
2028	takeown.exe
1132	takeown.exe
928	takeown.exe
1768	takeown.exe
1492	takeown.exe
860	takeown.exe
1052	takeown.exe
908	takeown.exe
1440	takeown.exe
1140	takeown.exe
1672	takeown.exe
1016	takeown.exe
908	takeown.exe
1700	takeown.exe
1388	takeown.exe
792	takeown.exe
1820	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Program Files\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	NWDEiUim.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	NWDEiUim.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	NWDEiUim.exe
File opened (read-only)	\??\H:	NWDEiUim.exe
File opened (read-only)	\??\F:	NWDEiUim.exe
File opened (read-only)	\??\G:	aDTvGCQK64.exe
File opened (read-only)	\??\R:	aDTvGCQK64.exe
File opened (read-only)	\??\M:	NWDEiUim.exe
File opened (read-only)	\??\L:	NWDEiUim.exe
File opened (read-only)	\??\K:	NWDEiUim.exe
File opened (read-only)	\??\S:	aDTvGCQK64.exe
File opened (read-only)	\??\T:	aDTvGCQK64.exe
File opened (read-only)	\??\T:	NWDEiUim.exe
File opened (read-only)	\??\E:	NWDEiUim.exe
File opened (read-only)	\??\V:	aDTvGCQK64.exe
File opened (read-only)	\??\J:	aDTvGCQK64.exe
File opened (read-only)	\??\N:	aDTvGCQK64.exe
File opened (read-only)	\??\V:	NWDEiUim.exe
File opened (read-only)	\??\S:	NWDEiUim.exe
File opened (read-only)	\??\Q:	NWDEiUim.exe
File opened (read-only)	\??\Q:	aDTvGCQK64.exe
File opened (read-only)	\??\W:	aDTvGCQK64.exe
File opened (read-only)	\??\O:	NWDEiUim.exe
File opened (read-only)	\??\I:	NWDEiUim.exe
File opened (read-only)	\??\E:	aDTvGCQK64.exe
File opened (read-only)	\??\N:	NWDEiUim.exe
File opened (read-only)	\??\I:	aDTvGCQK64.exe
File opened (read-only)	\??\K:	aDTvGCQK64.exe
File opened (read-only)	\??\M:	aDTvGCQK64.exe
File opened (read-only)	\??\W:	NWDEiUim.exe
File opened (read-only)	\??\U:	NWDEiUim.exe
File opened (read-only)	\??\P:	NWDEiUim.exe
File opened (read-only)	\??\R:	NWDEiUim.exe
File opened (read-only)	\??\G:	NWDEiUim.exe
File opened (read-only)	\??\A:	aDTvGCQK64.exe
File opened (read-only)	\??\F:	aDTvGCQK64.exe
File opened (read-only)	\??\H:	aDTvGCQK64.exe
File opened (read-only)	\??\O:	aDTvGCQK64.exe
File opened (read-only)	\??\Z:	NWDEiUim.exe
File opened (read-only)	\??\Y:	NWDEiUim.exe
File opened (read-only)	\??\X:	NWDEiUim.exe
File opened (read-only)	\??\U:	aDTvGCQK64.exe
File opened (read-only)	\??\Z:	aDTvGCQK64.exe
File opened (read-only)	\??\X:	aDTvGCQK64.exe
File opened (read-only)	\??\Y:	aDTvGCQK64.exe
File opened (read-only)	\??\B:	aDTvGCQK64.exe
File opened (read-only)	\??\L:	aDTvGCQK64.exe
File opened (read-only)	\??\P:	aDTvGCQK64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\4Wa5cFsf.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang	NWDEiUim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Logo.png	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago	NWDEiUim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EET	NWDEiUim.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui	NWDEiUim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo	NWDEiUim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	NWDEiUim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-CN.pak	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties	NWDEiUim.exe
File created	C:\Program Files\Java\jre7\lib\management\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	NWDEiUim.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton	NWDEiUim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\tzmappings	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12	NWDEiUim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson	NWDEiUim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
868	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1680	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2016	aDTvGCQK64.exe
2016	aDTvGCQK64.exe
2016	aDTvGCQK64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2016	aDTvGCQK64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	aDTvGCQK64.exe
Token: SeLoadDriverPrivilege	2016	aDTvGCQK64.exe
Token: SeBackupPrivilege	916	vssvc.exe
Token: SeRestorePrivilege	916	vssvc.exe
Token: SeAuditPrivilege	916	vssvc.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	864	takeown.exe
Token: SeTakeOwnershipPrivilege	484	takeown.exe
Token: SeTakeOwnershipPrivilege	592	takeown.exe
Token: SeTakeOwnershipPrivilege	1052	takeown.exe
Token: SeTakeOwnershipPrivilege	960	takeown.exe
Token: SeTakeOwnershipPrivilege	1224	takeown.exe
Token: SeTakeOwnershipPrivilege	1396	takeown.exe
Token: SeTakeOwnershipPrivilege	1904	takeown.exe
Token: SeTakeOwnershipPrivilege	1440	takeown.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	572	takeown.exe
Token: SeTakeOwnershipPrivilege	1852	takeown.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	takeown.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeTakeOwnershipPrivilege	1700	takeown.exe
Token: SeTakeOwnershipPrivilege	1392	takeown.exe
Token: SeTakeOwnershipPrivilege	1724	takeown.exe
Token: SeTakeOwnershipPrivilege	2000	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1528	1992	NWDEiUim.exe	29
PID 1992 wrote to memory of 1528	1992	NWDEiUim.exe	29
PID 1992 wrote to memory of 1528	1992	NWDEiUim.exe	29
PID 1992 wrote to memory of 1528	1992	NWDEiUim.exe	29
PID 1992 wrote to memory of 1492	1992	NWDEiUim.exe	32
PID 1992 wrote to memory of 1492	1992	NWDEiUim.exe	32
PID 1992 wrote to memory of 1492	1992	NWDEiUim.exe	32
PID 1992 wrote to memory of 1492	1992	NWDEiUim.exe	32
PID 1992 wrote to memory of 1960	1992	NWDEiUim.exe	34
PID 1992 wrote to memory of 1960	1992	NWDEiUim.exe	34
PID 1992 wrote to memory of 1960	1992	NWDEiUim.exe	34
PID 1992 wrote to memory of 1960	1992	NWDEiUim.exe	34
PID 1992 wrote to memory of 2024	1992	NWDEiUim.exe	36
PID 1992 wrote to memory of 2024	1992	NWDEiUim.exe	36
PID 1992 wrote to memory of 2024	1992	NWDEiUim.exe	36
PID 1992 wrote to memory of 2024	1992	NWDEiUim.exe	36
PID 1960 wrote to memory of 1964	1960	cmd.exe	38
PID 1960 wrote to memory of 1964	1960	cmd.exe	38
PID 1960 wrote to memory of 1964	1960	cmd.exe	38
PID 1960 wrote to memory of 1964	1960	cmd.exe	38
PID 2024 wrote to memory of 908	2024	cmd.exe	39
PID 2024 wrote to memory of 908	2024	cmd.exe	39
PID 2024 wrote to memory of 908	2024	cmd.exe	39
PID 2024 wrote to memory of 908	2024	cmd.exe	39
PID 1960 wrote to memory of 1724	1960	cmd.exe	40
PID 1960 wrote to memory of 1724	1960	cmd.exe	40
PID 1960 wrote to memory of 1724	1960	cmd.exe	40
PID 1960 wrote to memory of 1724	1960	cmd.exe	40
PID 1960 wrote to memory of 1348	1960	cmd.exe	41
PID 1960 wrote to memory of 1348	1960	cmd.exe	41
PID 1960 wrote to memory of 1348	1960	cmd.exe	41
PID 1960 wrote to memory of 1348	1960	cmd.exe	41
PID 1992 wrote to memory of 1604	1992	NWDEiUim.exe	42
PID 1992 wrote to memory of 1604	1992	NWDEiUim.exe	42
PID 1992 wrote to memory of 1604	1992	NWDEiUim.exe	42
PID 1992 wrote to memory of 1604	1992	NWDEiUim.exe	42
PID 1604 wrote to memory of 1772	1604	cmd.exe	44
PID 1604 wrote to memory of 1772	1604	cmd.exe	44
PID 1604 wrote to memory of 1772	1604	cmd.exe	44
PID 1604 wrote to memory of 1772	1604	cmd.exe	44
PID 1604 wrote to memory of 1508	1604	cmd.exe	45
PID 1604 wrote to memory of 1508	1604	cmd.exe	45
PID 1604 wrote to memory of 1508	1604	cmd.exe	45
PID 1604 wrote to memory of 1508	1604	cmd.exe	45
PID 1604 wrote to memory of 1684	1604	cmd.exe	46
PID 1604 wrote to memory of 1684	1604	cmd.exe	46
PID 1604 wrote to memory of 1684	1604	cmd.exe	46
PID 1604 wrote to memory of 1684	1604	cmd.exe	46
PID 1684 wrote to memory of 1960	1684	cmd.exe	47
PID 1684 wrote to memory of 1960	1684	cmd.exe	47
PID 1684 wrote to memory of 1960	1684	cmd.exe	47
PID 1684 wrote to memory of 1960	1684	cmd.exe	47
PID 908 wrote to memory of 2028	908	wscript.exe	48
PID 908 wrote to memory of 2028	908	wscript.exe	48
PID 908 wrote to memory of 2028	908	wscript.exe	48
PID 908 wrote to memory of 2028	908	wscript.exe	48
PID 1960 wrote to memory of 2016	1960	aDTvGCQK.exe	50
PID 1960 wrote to memory of 2016	1960	aDTvGCQK.exe	50
PID 1960 wrote to memory of 2016	1960	aDTvGCQK.exe	50
PID 1960 wrote to memory of 2016	1960	aDTvGCQK.exe	50
PID 2028 wrote to memory of 868	2028	cmd.exe	52
PID 2028 wrote to memory of 868	2028	cmd.exe	52
PID 2028 wrote to memory of 868	2028	cmd.exe	52
PID 2028 wrote to memory of 868	2028	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\NWDEiUim.exe
"C:\Users\Admin\AppData\Local\Temp\NWDEiUim.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\NWDEiUim.exe" "C:\Users\Admin\AppData\Local\Temp\NWDb3u0Q.exe"
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\NWDb3u0Q.exe
  "C:\Users\Admin\AppData\Local\Temp\NWDb3u0Q.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4Wa5cFsf.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4Wa5cFsf.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Matrix Ransomware
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\BSeRRHNL.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\BSeRRHNL.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3WFzdJHv.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3WFzdJHv.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:348
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK64.exe
        
        aDTvGCQK.exe -accepteula "DefaultID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:516
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1376
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:348
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:960
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:828
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1592
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  - Loads dropped DLL
  PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:348
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  - Loads dropped DLL
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Journal.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Journal.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  - Loads dropped DLL
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  - Loads dropped DLL
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  - Loads dropped DLL
  PID:1052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Music.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Music.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  - Loads dropped DLL
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:668
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  - Loads dropped DLL
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:828
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  - Loads dropped DLL
  PID:864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:792
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  - Loads dropped DLL
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  - Loads dropped DLL
  PID:1820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "br.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "br.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  - Loads dropped DLL
  PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    - Modifies file permissions
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  - Loads dropped DLL
  PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:348
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  - Loads dropped DLL
  PID:1348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  - Loads dropped DLL
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1300
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  - Loads dropped DLL
  PID:828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  - Loads dropped DLL
  PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:960
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  - Loads dropped DLL
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    - Modifies file permissions
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  - Loads dropped DLL
  PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:624
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1360
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1224
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    - Modifies file permissions
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:1016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    - Modifies file permissions
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:1440
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:1016
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    - Modifies file permissions
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:792
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "license.html" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "license.html" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:992
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:828
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    - Modifies file permissions
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:436
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:484
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:656
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    - Modifies file permissions
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
    3⤵
    PID:656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
    3⤵
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
      4⤵
      PID:960
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    - Modifies file permissions
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:296
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:1132
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    - Modifies file permissions
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:960
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    - Modifies file permissions
    PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:912
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1828
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    - Modifies file permissions
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:1132
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:436
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:484
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:792
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:296
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:1296
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:668
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:572
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    - Modifies file permissions
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    - Modifies file permissions
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    - Modifies file permissions
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:624
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    - Modifies file permissions
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:296
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Genko_2.jtp" -nobanner
    3⤵
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Genko_2.jtp" -nobanner
      4⤵
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:792
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:1296
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    - Modifies file permissions
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    - Modifies file permissions
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:928
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Modifies file permissions
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "background.png" -nobanner
      4⤵
      PID:656
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:992
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:1360
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:296
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:572
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:1016
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:1296
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    - Modifies file permissions
    PID:656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "main.css" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "main.css" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    - Modifies file permissions
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1300
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:1152
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:484
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:1132
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:436
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    - Modifies file permissions
    PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    - Modifies file permissions
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aDTvGCQK.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
      aDTvGCQK.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:668
- - C:\Users\Admin\AppData\Local\Temp\aDTvGCQK.exe
    aDTvGCQK.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QFAyUAdu.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {781232A7-D3F7-4D8C-A53F-A7652C3ADE51} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:944
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\3WFzdJHv.bat"
  2⤵
  PID:1108
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1828
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1700
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1508