Analysis
-
max time kernel
0s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30-12-2023 16:29
General
-
Target
095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
-
Size
6.5MB
-
MD5
1a699d18fc42426c1fdfe7ad01a42d20
-
SHA1
f8b0d7c0019f48ffb8f6d0f0634104751cc5842f
-
SHA256
095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270
-
SHA512
b6c0abad59318341f2ce0c9057df1d3dfe6421da36519b15927bbe769807ca007761bc47a64e69513ddb9d9cd02f8f2df6bce755a5c26adfadacd62da08ba253
-
SSDEEP
196608:ugY5Wpp0209r4M3jtxMTdLZ4jSonnP6TH3DwGP:Y5Wp0202A/ConuP
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe"C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe" "C:\Users\Admin\AppData\Local\Temp\NWBlruYk.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NWBlruYk.exe"C:\Users\Admin\AppData\Local\Temp\NWBlruYk.exe" -n2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\pxsQTSj4.vbs"2⤵
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\pxsQTSj4.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\0WytFXFa.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\0WytFXFa.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006N.bin" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin"5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin" /E /G Admin:F /C5⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VlwGMOLz.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VlwGMOLz.bmp" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AD.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AD.bin" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.62e2a315-93ea-46c9-a982-6ae4b9dd3d06.1.etl"3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.62e2a315-93ea-46c9-a982-6ae4b9dd3d06.1.etl" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.62e2a315-93ea-46c9-a982-6ae4b9dd3d06.1.etl" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000H.bin" -nobanner5⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin"5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin" /E /G Admin:F /C5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000054.bin" -nobanner5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin" /E /G Admin:F /C5⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin"4⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000095.bin" -nobanner4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000081.bin" -nobanner4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "classes.jsa" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008J.bin" -nobanner4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin" /E /G Admin:F /C3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000017.bin" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000005.bin" -nobanner5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "superbar.png" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008J.bin" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000T.bin" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000085.bin" -nobanner4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin" /E /G Admin:F /C4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007V.bin" -nobanner5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008D.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000012.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007A.bin" -nobanner3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006N.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000F.bin" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin" /E /G Admin:F /C3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000N.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000R.bin" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "settings.dat" -nobanner5⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006S.bin" -nobanner6⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat"5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C5⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000009J.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000009J.bin" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "settings.dat" -nobanner5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000011.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "watermark.png" -nobanner4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000009L.bin" -nobanner5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin" /E /G Admin:F /C5⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000S.bin" -nobanner6⤵
-
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "background.png" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin" /E /G Admin:F /C3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007R.bin" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000010.bin" -nobanner5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AH.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin"3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin" /E /G Admin:F /C4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000B3.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000009F.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000009F.bin" -nobanner4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000A6.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000089.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "device.png" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "device.png" -nobanner5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000B7.bin" -nobanner5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin" /E /G Admin:F /C5⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006S.bin" -nobanner6⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008F.bin" -nobanner6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000L.bin" -nobanner5⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin"5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin" /E /G Admin:F /C5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000V.bin" -nobanner5⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin" /E /G Admin:F /C5⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl" -nobanner5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000093.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000081.bin" -nobanner4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl""2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl"3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000095.bin" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.62e2a315-93ea-46c9-a982-6ae4b9dd3d06.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008L.bin" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.08cce21c-43a0-40eb-99e4-681f9cf37841.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.1.etl""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000052.bin" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000012.bin" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007A.bin" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000008.bin" -nobanner4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "wab.exe" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000A9.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin""2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000A0.bin" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin""2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgV7MEcn.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin""2⤵
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\0WytFXFa.bat"1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000O.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000O.bin" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006D.bin" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin" /E /G Admin:F /C4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "store.db" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000009L.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007E.bin" -nobanner2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "store.db" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000B1.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "BrowserCore.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "BrowserCore.exe.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "classes.jsa" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "Identity-V" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wab.exe"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.08cce21c-43a0-40eb-99e4-681f9cf37841.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000U.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006U.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000076.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000091.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000A0.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007I.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin"2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000J.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000J.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000014.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007C.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007K.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008D.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000T.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008V.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008V.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "settings.dat" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "OfficeIntegrator.ps1" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "KnownGameList.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000006.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000Q.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000Q.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007K.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007Q.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000D.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000V.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "overlay.png" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "StorageHealthModel.dat" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "background.png" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "ImagingDevices.exe" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006F.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000087.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000009B.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "settings.dat" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000L.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "TileCache_100_0_Header.bin" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "TileCache_100_0_Header.bin" -nobanner3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000015.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000075.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000075.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000099.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000009H.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000009H.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000G.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000007.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000007.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000R.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "WuProvider.08cce21c-43a0-40eb-99e4-681f9cf37841.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "WuProvider.08cce21c-43a0-40eb-99e4-681f9cf37841.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006J.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AN.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000B1.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006H.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000N.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000089.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008R.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008R.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000S.bin" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "settings.dat" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AL.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AL.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AV.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000050.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000050.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "settings.dat" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008H.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000G.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag"4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner5⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" /E /G Admin:F /C4⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000009D.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "watermark.png" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "background.png" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000018.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.3f613709-9590-47d8-84a4-c3524573cbbd.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000054.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006L.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin"2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.13cbca30-34b2-4d93-b9a7-c9288549104a.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007C.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "TileCache_100_0_Data.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "TileCache_100_0_Data.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.62e2a315-93ea-46c9-a982-6ae4b9dd3d06.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000009B.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "superbar.png" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "OfficeIntegrator.ps1" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000093.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008H.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006P.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007O.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007O.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007G.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007G.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000078.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000078.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000070.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000070.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000A7.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000058.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000058.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000085.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000018.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000083.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000010.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007R.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000A9.bin" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000F.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000004.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000004.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000072.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000B7.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AV.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000013.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000A4.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000A4.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AJ.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000009D.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006P.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006H.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AN.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000009M.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AF.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AF.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000A6.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000083.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000073.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000073.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006J.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.08cce21c-43a0-40eb-99e4-681f9cf37841.1.etl"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.08cce21c-43a0-40eb-99e4-681f9cf37841.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.1.etl"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000013.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000I.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000I.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000B5.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000006.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000011.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000P.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000P.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000005.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000017.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000B3.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "vcredist_x64.exe" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AP.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AP.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "vcredist_x64.exe" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000AH.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000099.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "MoUsoCoreWorker.a0d58d05-8968-42ef-b9e5-c4efc68f70a9.1.etl" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007T.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007T.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006L.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000006D.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000015.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "00000009.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000009.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "Workflow.Targets" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000B5.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "000000AJ.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000008.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "vc_runtimeMinimum_x64.msi" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.506c8977-7673-47c2-a08b-a54b89b03558.1.etl" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000000D.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin" /E /G Admin:F /C2⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "cab1.cab" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.4e768468-a1d2-4927-9df0-427e21a486ca.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000087.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007V.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000006F.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "Workflow.Targets" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "background.png" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000014.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.be716218-c766-4012-bd0a-6b9b34b8195a.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "StorageHealthModel.dat" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "KnownGameList.bin" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "overlay.png" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "settings.dat" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000009M.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000007Q.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.9ad038ae-5f58-4794-a32e-adc58517249f.2.etl" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000007I.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000072.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000052.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000000H.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.b51a0a29-a3b8-4fdf-8108-e79b0fc6fd9b.1.etl" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "vc_runtimeMinimum_x64.msi" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "cab1.cab" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "000000A7.bin" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "settings.dat" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008L.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "wab.exe" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "00000091.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula "0000008N.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008N.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZRVIZhg9.exeZRVIZhg9.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZRVIZhg9.exe -accepteula "0000008F.bin" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin" /E /G Admin:F /C1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
149KB
MD554be8b3efe20a65f3a885c3b164de3cb
SHA1017de2db12180c4e1ff7c0d7f59eb88f0cda4d77
SHA25692182df4256a131b8d66b01efad4dd4936a348ec21bb873c8c03a11fc99702d7
SHA512bce3c8ffdbaf6e620f01046f48b472e2b226cff20e6eb7872524678254d3b896ee1153f438be602f9cd985e2247f4eb84f01000896d9891e1ca8e4a9242ac599
-
Filesize
265B
MD56d90c1be20477a50d6c5469f2d9ca35d
SHA149916f81c1cc3ac90cc6c87113e349bf3dfad835
SHA256855fe630b4c4028fe8b16d52bcaee2b889929cefa2852b5aa439bba38edc81a2
SHA512dec9cddda35133c7f1a7829688a405ad6815616edc0ee9f2436cdd34fab97f2080fa8f55fbd4c496c67d0ac46dbe757b2c555442c9c789cbb67248dcf54b7de4
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB