hxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=2163278857

Resubmissions

29-06-2023 16:16

230629-tq18gseb56 8

29-06-2023 15:43

230629-s574xaef8z 10

Analysis

max time kernel
638s
max time network
1727s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2023 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcommunity.com/sharedfiles/filedetails/?id=2163278857

Score

10^/10

bootkit discovery evasion exploit persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies Installed Components in the registry 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

unregmp2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

icacls.exe

pid	process
372
404
1688
4408
3780
4032
1664
4328
5868
2244
4644
2372
3900
4748
444
3560
4152
5492	icacls.exe
6008
5904
4748
5920
3568
2204
4824
3696
2864
5660
1504
3156
3768
4348
5276
628
5356
2156
2320
4768
2360
8
4980
5420
4328
5728
724
2372
6132
5584
2316
5916
5996
1484
1460
2924
264
4308
5352
3088
4864
4308
1064
2248
5884
2712

Executes dropped EXE 11 IoCs

Processes:

Bonzify.execmd.exeBonzify.exeAgentSvr.exeWinXP.Horror.Destructive (Created By WobbyChip).exe

pid process

3984 Bonzify.exe
5516 cmd.exe
2232
1068
3604
5536 Bonzify.exe
384
2196
2464
3464 AgentSvr.exe
3276 WinXP.Horror.Destructive (Created By WobbyChip).exe

pid	process
3984	Bonzify.exe
5516	cmd.exe
2232
1068
3604
5536	Bonzify.exe
384
2196
2464
3464	AgentSvr.exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe

Loads dropped DLL 30 IoCs

Processes:

cmd.exetakeown.exeBonzify.exeBonzify.exeAgentSvr.exe

pid	process
5516	cmd.exe
1564	takeown.exe
1820
5416
3692
5712
5356
5192
1068
1836
1836
3796
3984	Bonzify.exe
3604
384
4140
4968
3596
5168
4348
5180
632
2464
2684
2684
5484
5536	Bonzify.exe
3464	AgentSvr.exe
3464	AgentSvr.exe
3464	AgentSvr.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exe

pid	process
4536
3400
3856
1160
2176
3900
4716
2152
1932
5744
1460
556
5824
920
568
4672
5944
4960
3032
5100
5268
3528
5916
412
2004
5484
4908
3444
2712
3636
2464
4052
4748
5044
5852	takeown.exe
2284
4528
2196
4316
4936
5060
3752
6052
3916
1992
4748
1064
4872
724
1628
6020
4872
460
5384
1160
1484
4640
1484
4992
1920
5048
5688
3780
1944

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Drops desktop.ini file(s) 1 IoCs

Processes:

unregmp2.exe

description ioc process

File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exeunregmp2.exe

description	ioc	process
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description ioc process

File opened for modification \??\PhysicalDrive0 WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WinXP.Horror.Destructive (Created By WobbyChip).exe

Drops file in System32 directory 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SETD70D.tmp
File created	C:\Windows\SysWOW64\SETD70D.tmp
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll

Drops file in Program Files directory 1 IoCs

Processes:

unregmp2.exe

description ioc process

File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Drops file in Windows directory 64 IoCs

Processes:

Bonzify.exesvchost.exeBonzify.exe

description	ioc	process
File created	C:\Windows\INF\SETE45E.tmp
File opened for modification	C:\Windows\msagent\intl\SETE481.tmp
File opened for modification	C:\Windows\msagent\mslwvtts.dll
File created	C:\Windows\lhsp\help\SETD70A.tmp
File opened for modification	C:\Windows\msagent\SETE45D.tmp
File created	C:\Windows\lhsp\tv\SETE773.tmp
File opened for modification	C:\Windows\fonts\SETE7C4.tmp
File created	C:\Windows\fonts\SETE7C4.tmp
File opened for modification	C:\Windows\msagent\AgentMPx.dll
File opened for modification	C:\Windows\msagent\AgentAnm.dll
File opened for modification	C:\Windows\msagent\SETE428.tmp
File opened for modification	C:\Windows\msagent\SETE44D.tmp
File opened for modification	C:\Windows\lhsp\tv\SETE784.tmp
File created	C:\Windows\msagent\SETD299.tmp
File created	C:\Windows\lhsp\tv\SETD708.tmp
File opened for modification	C:\Windows\msagent\intl\SETD2BE.tmp
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp
File opened for modification	C:\Windows\lhsp\help\SETE7B4.tmp
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File created	C:\Windows\msagent\SETE45F.tmp
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll
File opened for modification	C:\Windows\INF\SETE7C5.tmp
File created	C:\Windows\msagent\SETD297.tmp
File created	C:\Windows\INF\SETD70C.tmp
File opened for modification	C:\Windows\INF\SETD2AB.tmp
File opened for modification	C:\Windows\help\SETD2BD.tmp
File opened for modification	C:\Windows\fonts\andmoipa.ttf
File created	C:\Windows\lhsp\tv\SETE784.tmp
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\msagent\SETD286.tmp
File opened for modification	C:\Windows\INF\agtinst.inf
File created	C:\Windows\INF\SETE7C5.tmp
File opened for modification	C:\Windows\msagent\SETD2AC.tmp
File opened for modification	C:\Windows\msagent\AgentDp2.dll
File opened for modification	C:\Windows\msagent\SETD2BF.tmp
File opened for modification	C:\Windows\help\Agt0409.hlp
File opened for modification	C:\Windows\msagent\AgentDPv.dll
File opened for modification	C:\Windows\fonts\andmoipa.ttf
File created	C:\Windows\msagent\SETD2AC.tmp
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe
File opened for modification	C:\Windows\msagent\SETD2AA.tmp
File opened for modification	C:\Windows\msagent\AgentPsh.dll
File opened for modification	C:\Windows\msagent\mslwvtts.dll
File created	C:\Windows\msagent\SETE482.tmp
File created	C:\Windows\help\SETD2BD.tmp
File created	C:\Windows\msagent\SETE428.tmp
File created	C:\Windows\msagent\intl\SETE481.tmp
File opened for modification	C:\Windows\msagent\SETD285.tmp
File created	C:\Windows\msagent\SETD287.tmp
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb
File created	C:\Windows\fonts\SETD70B.tmp
File opened for modification	C:\Windows\msagent\AgentCtl.dll
File opened for modification	C:\Windows\msagent\SETE43B.tmp
File opened for modification	C:\Windows\msagent\SETD287.tmp
File opened for modification	C:\Windows\fonts\SETD70B.tmp
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll
File opened for modification	C:\Windows\INF\tv_enua.inf
File created	C:\Windows\executables.bin	Bonzify.exe
File created	C:\Windows\msagent\SETE429.tmp
File opened for modification	C:\Windows\msagent\SETE44C.tmp

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3596 taskkill.exe
1952 taskkill.exe

pid	process
3596	taskkill.exe
1952	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\Mouse	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2841242076"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea000000000200000000001066000000010000200000006670f92aea7dca19d17bf62f78a9488b0aa423a49f8d516cc9b775369cd3de75000000000e80000000020000200000002a1cfdb9fcc23507b5ff574c82afc0adff7c8c56679474f9561908fc0f305dec20000000130226a749384f39f5a58915ca2d37f7efc394e74db3b97ff0512891eabb200540000000aa2bfa3bea4acd617aba8b97d2685373f11826e745c8805be12876e9a1ca73364e98b7ae680ba6a84cc7b4ff419092e8d41f78bb506d8291bd7a660b05866ed9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042208"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea0000000002000000000010660000000100002000000085547fbe8f8a28a0b4db47ade2ebf730e692a10037ccb1db64df3895326c02e0000000000e8000000002000020000000919164591a924de89cdc601be21e44f7486c10cb4fc434a4b52083e5c4271556200000006bf9aef616a2f91679d4750109194aa49a7a5c9ca527635011a6febc5dbe992240000000e9d85108612562f3345a35ecfb45c86d25f760c8774c18bd97d4ee1d089f413afd8e0e8e1af26ce79aa9747fb02c3be4604760ef39e6c361decb29bdaa17732c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c6d8aba0aad901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04ef5aba0aad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D41A8350-1693-11EE-9FB7-CE83860A346F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31042208"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042208"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2830147319"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2830147319"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

takeown.exeunregmp2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{143A62C8-C33B-11D1-84FE-00C04FA34A14}\InprocServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Flat File Provider 2.0"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\ = "Microsoft Agent Control 1.5"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\ = "Microsoft Agent Character File"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ = "_AgentEvents"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.2\ = "Microsoft Agent Control 2.0"	takeown.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.1	takeown.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7B93C92-7B81-11D0-AC5F-00C04FD97575}\ = "Microsoft Agent Server 1.5"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\VersionIndependentProgID\ = "Agent.Control"	takeown.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID\ = "Agent.Control.2"
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\VersionIndependentProgID	takeown.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\TypeLib
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Version
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Control
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\HELPDIR
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Control 2.0"	takeown.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentPropertySheet"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0\win32\ = "C:\\Windows\\msagent\\AgentSvr.exe\\2"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Version\ = "2.0"	takeown.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Server 2.0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlAudioObject"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lwv\ = "LWVFile"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ProxyStubClsid32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\Version = "2.0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\TypeLib\ = "{D6589123-FC70-11D0-AC94-00C04FD97575}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Bonzify-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

pid	process
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

unregmp2.exewmplayer.exefirefox.exetaskkill.execmd.execmd.exetakeown.exetakeown.exetakeown.exeAgentSvr.execmd.exe

description	pid	process
Token: SeShutdownPrivilege	4216	unregmp2.exe
Token: SeCreatePagefilePrivilege	4216	unregmp2.exe
Token: SeShutdownPrivilege	1556	wmplayer.exe
Token: SeCreatePagefilePrivilege	1556	wmplayer.exe
Token: SeDebugPrivilege	824	firefox.exe
Token: SeDebugPrivilege	824	firefox.exe
Token: SeDebugPrivilege	824	firefox.exe
Token: SeDebugPrivilege	824	firefox.exe
Token: SeDebugPrivilege	824	firefox.exe
Token: SeDebugPrivilege	824	firefox.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeTakeOwnershipPrivilege	5552	cmd.exe
Token: SeTakeOwnershipPrivilege	3596	cmd.exe
Token: SeTakeOwnershipPrivilege	1504	takeown.exe
Token: SeTakeOwnershipPrivilege	436
Token: SeTakeOwnershipPrivilege	4776
Token: SeTakeOwnershipPrivilege	628	takeown.exe
Token: SeTakeOwnershipPrivilege	552
Token: SeTakeOwnershipPrivilege	1228
Token: SeTakeOwnershipPrivilege	1944
Token: SeTakeOwnershipPrivilege	6084	takeown.exe
Token: SeTakeOwnershipPrivilege	2632
Token: SeTakeOwnershipPrivilege	5852
Token: SeTakeOwnershipPrivilege	436
Token: SeTakeOwnershipPrivilege	4828
Token: SeTakeOwnershipPrivilege	5704
Token: SeTakeOwnershipPrivilege	5712
Token: 33	3604
Token: SeIncBasePriorityPrivilege	3604
Token: SeTakeOwnershipPrivilege	5992
Token: SeTakeOwnershipPrivilege	3528
Token: SeDebugPrivilege	824	firefox.exe
Token: SeTakeOwnershipPrivilege	5332
Token: SeTakeOwnershipPrivilege	5960
Token: SeTakeOwnershipPrivilege	4140
Token: SeTakeOwnershipPrivilege	3536
Token: SeDebugPrivilege	3596
Token: SeTakeOwnershipPrivilege	5052
Token: SeTakeOwnershipPrivilege	2648
Token: SeTakeOwnershipPrivilege	2108
Token: SeTakeOwnershipPrivilege	2196
Token: SeTakeOwnershipPrivilege	6140
Token: SeTakeOwnershipPrivilege	5428
Token: SeTakeOwnershipPrivilege	444
Token: SeTakeOwnershipPrivilege	636
Token: SeTakeOwnershipPrivilege	1236
Token: SeTakeOwnershipPrivilege	908
Token: SeTakeOwnershipPrivilege	3844
Token: SeTakeOwnershipPrivilege	436
Token: SeTakeOwnershipPrivilege	1484
Token: SeTakeOwnershipPrivilege	440
Token: SeTakeOwnershipPrivilege	6044
Token: SeTakeOwnershipPrivilege	5568
Token: SeTakeOwnershipPrivilege	5332
Token: SeTakeOwnershipPrivilege	3464	AgentSvr.exe
Token: SeTakeOwnershipPrivilege	5180
Token: SeTakeOwnershipPrivilege	5480
Token: SeTakeOwnershipPrivilege	412
Token: SeTakeOwnershipPrivilege	5684
Token: SeTakeOwnershipPrivilege	1344
Token: SeTakeOwnershipPrivilege	5440
Token: SeTakeOwnershipPrivilege	5456	cmd.exe
Token: SeTakeOwnershipPrivilege	2780
Token: SeTakeOwnershipPrivilege	2096

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

iexplore.exewmplayer.exefirefox.exeAgentSvr.exe

pid	process
860	iexplore.exe
1556	wmplayer.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
3604
3604
3464	AgentSvr.exe
3464	AgentSvr.exe
824	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

firefox.exeAgentSvr.exe

pid process

824 firefox.exe
824 firefox.exe
824 firefox.exe
3604
3604
3464 AgentSvr.exe
3464 AgentSvr.exe

pid	process
824	firefox.exe
824	firefox.exe
824	firefox.exe
3604
3604
3464	AgentSvr.exe
3464	AgentSvr.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exeBonzify.execmd.exeBonzify.exeAgentSvr.exeWinXP.Horror.Destructive (Created By WobbyChip).exe

pid	process
860	iexplore.exe
860	iexplore.exe
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
3984	Bonzify.exe
5516	cmd.exe
2232
1068
3604
5536	Bonzify.exe
384
2196
2464
3464	AgentSvr.exe
3276	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exewmplayer.exeunregmp2.exesetup_wm.exeunregmp2.exefirefox.exefirefox.exe

description	pid	process	target process
PID 860 wrote to memory of 3512	860	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 3512	860	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 3512	860	iexplore.exe	IEXPLORE.EXE
PID 3804 wrote to memory of 4776	3804	wmplayer.exe	setup_wm.exe
PID 3804 wrote to memory of 4776	3804	wmplayer.exe	setup_wm.exe
PID 3804 wrote to memory of 4776	3804	wmplayer.exe	setup_wm.exe
PID 3804 wrote to memory of 3076	3804	wmplayer.exe	unregmp2.exe
PID 3804 wrote to memory of 3076	3804	wmplayer.exe	unregmp2.exe
PID 3804 wrote to memory of 3076	3804	wmplayer.exe	unregmp2.exe
PID 3076 wrote to memory of 4216	3076	unregmp2.exe	unregmp2.exe
PID 3076 wrote to memory of 4216	3076	unregmp2.exe	unregmp2.exe
PID 4776 wrote to memory of 4064	4776	setup_wm.exe	unregmp2.exe
PID 4776 wrote to memory of 4064	4776	setup_wm.exe	unregmp2.exe
PID 4776 wrote to memory of 4064	4776	setup_wm.exe	unregmp2.exe
PID 4064 wrote to memory of 1652	4064	unregmp2.exe	unregmp2.exe
PID 4064 wrote to memory of 1652	4064	unregmp2.exe	unregmp2.exe
PID 4776 wrote to memory of 1556	4776	setup_wm.exe	wmplayer.exe
PID 4776 wrote to memory of 1556	4776	setup_wm.exe	wmplayer.exe
PID 4776 wrote to memory of 1556	4776	setup_wm.exe	wmplayer.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 4824 wrote to memory of 824	4824	firefox.exe	firefox.exe
PID 824 wrote to memory of 804	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 804	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 2100	824	firefox.exe	firefox.exe

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/sharedfiles/filedetails/?id=2163278857
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:860 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\unregmp2.exe
C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
3⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:1652

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\ConvertReset.mp2
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1556

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.0.1719530797\1193898062" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1792 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {417de9fb-bdf6-4183-9f7a-44622d5d84ae} 824 "\\.\pipe\gecko-crash-server-pipe.824" 1932 21467919558 gpu
3⤵
PID:804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.1.407426217\1531318711" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {266670b8-0911-4e2a-ae3c-477f515675e7} 824 "\\.\pipe\gecko-crash-server-pipe.824" 2332 21459972b58 socket
3⤵
PID:2100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.2.1075328007\715328370" -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 2832 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a5145b3-4df5-4506-9390-7bd44903b7ed} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3116 2146a709d58 tab
3⤵
PID:4064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.3.623087662\314664403" -childID 2 -isForBrowser -prefsHandle 3064 -prefMapHandle 3040 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4595d02-f44f-4314-bdc6-9079cd6dc1b1} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3520 2145995eb58 tab
3⤵
PID:2156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.4.1425314751\1969411900" -childID 3 -isForBrowser -prefsHandle 4164 -prefMapHandle 4064 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de66484a-7bea-40a2-a1e2-cd7a29852ef9} 824 "\\.\pipe\gecko-crash-server-pipe.824" 4176 2146ba48558 tab
3⤵
PID:4256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.5.1569165639\1502488596" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4952 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b02f9724-151b-45fa-8c43-29cc6798ec63} 824 "\\.\pipe\gecko-crash-server-pipe.824" 4976 2146cdeb158 tab
3⤵
PID:5240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.6.1115369349\410846809" -childID 5 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45b02320-5069-4c59-8477-d81a986b067d} 824 "\\.\pipe\gecko-crash-server-pipe.824" 5100 2146cf81558 tab
3⤵
PID:5248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.7.819431547\2047316473" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {681883bd-0674-4f2e-a132-7ab38519f686} 824 "\\.\pipe\gecko-crash-server-pipe.824" 5304 2146cf82458 tab
3⤵
PID:5256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.8.426144731\1202344331" -childID 7 -isForBrowser -prefsHandle 5680 -prefMapHandle 4776 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2801e50a-d01a-45ea-8d6d-8dd5b5677543} 824 "\\.\pipe\gecko-crash-server-pipe.824" 5688 2146b4c8858 tab
3⤵
PID:460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.9.154484451\1032170546" -parentBuildID 20221007134813 -prefsHandle 6008 -prefMapHandle 5980 -prefsLen 27195 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e23113-1284-4d9c-a2fc-7b7932c9ddff} 824 "\\.\pipe\gecko-crash-server-pipe.824" 6016 2146f05be58 rdd
3⤵
PID:3148

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.10.919874654\543406036" -childID 8 -isForBrowser -prefsHandle 2820 -prefMapHandle 6036 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af974c01-161f-4d76-a5c8-faedb010103c} 824 "\\.\pipe\gecko-crash-server-pipe.824" 6016 2146f059a58 tab
3⤵
PID:5776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.11.533920370\691051426" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5700 -prefMapHandle 5964 -prefsLen 27331 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77500df7-e677-4790-83ae-06d42f313cbd} 824 "\\.\pipe\gecko-crash-server-pipe.824" 5252 2146f323258 utility
3⤵
PID:6108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.12.779414301\999360446" -childID 9 -isForBrowser -prefsHandle 3300 -prefMapHandle 5924 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb847220-f847-44fe-adf0-918f18bf7199} 824 "\\.\pipe\gecko-crash-server-pipe.824" 4812 2146ebe2b58 tab
3⤵
PID:4936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.13.938404287\357579814" -childID 10 -isForBrowser -prefsHandle 5460 -prefMapHandle 2792 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cddd597-fb8c-4019-8948-e252102f3003} 824 "\\.\pipe\gecko-crash-server-pipe.824" 5456 2146f723258 tab
3⤵
PID:4056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.14.86281573\2072551210" -childID 11 -isForBrowser -prefsHandle 6504 -prefMapHandle 6508 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85f103f0-b38e-4e37-97f3-d6a31b6a4838} 824 "\\.\pipe\gecko-crash-server-pipe.824" 5636 2146818b258 tab
3⤵
PID:216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.15.14137977\1762199390" -childID 12 -isForBrowser -prefsHandle 5076 -prefMapHandle 6524 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {227a576b-5029-4bd3-96d0-7a66a32bd449} 824 "\\.\pipe\gecko-crash-server-pipe.824" 5048 2146630dd58 tab
3⤵
PID:856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.16.1026288554\1613844713" -childID 13 -isForBrowser -prefsHandle 5608 -prefMapHandle 5824 -prefsLen 27436 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d44f5e70-b0e0-4666-8c92-d24d4e461f25} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3616 2146b4a9b58 tab
3⤵
PID:1696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.17.1627230867\564236327" -childID 14 -isForBrowser -prefsHandle 3720 -prefMapHandle 6380 -prefsLen 27436 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b8248be-ca40-48ae-87dc-19e18fe8b367} 824 "\\.\pipe\gecko-crash-server-pipe.824" 6920 2146cd52058 tab
3⤵
PID:5716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.18.861215585\1783533723" -childID 15 -isForBrowser -prefsHandle 6552 -prefMapHandle 6556 -prefsLen 27436 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc51cce-278d-4e54-8bd1-dee0a46d13f1} 824 "\\.\pipe\gecko-crash-server-pipe.824" 6420 21459930e58 tab
3⤵
PID:2564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.19.651656793\1392406423" -childID 16 -isForBrowser -prefsHandle 2784 -prefMapHandle 6544 -prefsLen 27436 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f1721a-ba1a-4542-8121-250e565b3c2c} 824 "\\.\pipe\gecko-crash-server-pipe.824" 6548 2146d51ae58 tab
3⤵
PID:5340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:372

C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
2⤵
PID:3400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
3⤵
PID:2284

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
3⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
PID:5516

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
3⤵
PID:1564

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
3⤵
PID:1820

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
3⤵
PID:5416

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
3⤵
PID:3692

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
3⤵
PID:5712

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
3⤵
PID:5356

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
3⤵
PID:5192

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
3⤵
PID:2232

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RdpSa.exe"
2⤵
PID:5536

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RdpSa.exe"
3⤵
PID:5552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RdpSa.exe" /grant "everyone":(f)
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RdpSaProxy.exe"
2⤵
PID:5188

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RdpSaProxy.exe"
3⤵
PID:3596

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RdpSaProxy.exe" /grant "everyone":(f)
3⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RdpSaUacHelper.exe"
2⤵
PID:2804

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RdpSaUacHelper.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RdpSaUacHelper.exe" /grant "everyone":(f)
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\rdrleakdiag.exe"
2⤵
PID:5776

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\rdrleakdiag.exe"
3⤵
PID:436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\rdrleakdiag.exe" /grant "everyone":(f)
3⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\ReAgentc.exe"
2⤵
PID:5060

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ReAgentc.exe"
3⤵
PID:4776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\ReAgentc.exe" /grant "everyone":(f)
3⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\recover.exe"
2⤵
PID:4824

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\recover.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\recover.exe" /grant "everyone":(f)
3⤵
PID:5968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\reg.exe"
2⤵
PID:4052

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\reg.exe"
3⤵
PID:552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\reg.exe" /grant "everyone":(f)
3⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\regedit.exe"
2⤵
PID:5960

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\regedit.exe"
3⤵
PID:1228

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\regedit.exe" /grant "everyone":(f)
3⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
PID:1068

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:5300

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
3⤵
PID:3796

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\regedt32.exe"
2⤵
PID:6072

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\regedt32.exe"
3⤵
PID:1944

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\regedt32.exe" /grant "everyone":(f)
3⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\regini.exe"
2⤵
PID:528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\regini.exe" /grant "everyone":(f)
3⤵
PID:5656

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\regini.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\Register-CimProvider.exe"
2⤵
PID:5160

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\Register-CimProvider.exe"
3⤵
PID:2632

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\Register-CimProvider.exe" /grant "everyone":(f)
3⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\regsvr32.exe"
2⤵
PID:1232

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\regsvr32.exe"
3⤵
PID:5852

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\regsvr32.exe" /grant "everyone":(f)
3⤵
PID:5804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\rekeywiz.exe"
2⤵
PID:2804

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\rekeywiz.exe"
3⤵
PID:436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\rekeywiz.exe" /grant "everyone":(f)
3⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\relog.exe"
2⤵
PID:2104

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\relog.exe"
3⤵
PID:4828

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\relog.exe" /grant "everyone":(f)
3⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\replace.exe"
2⤵
PID:3040

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\replace.exe"
3⤵
PID:5704

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\replace.exe" /grant "everyone":(f)
3⤵
PID:5544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\resmon.exe"
2⤵
PID:3692

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\resmon.exe"
3⤵
PID:5712

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\resmon.exe" /grant "everyone":(f)
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RMActivate.exe"
2⤵
PID:952

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RMActivate.exe"
3⤵
PID:5992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RMActivate.exe" /grant "everyone":(f)
3⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RMActivate_isv.exe"
2⤵
PID:4052

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RMActivate_isv.exe"
3⤵
PID:3528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RMActivate_isv.exe" /grant "everyone":(f)
3⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RMActivate_ssp.exe"
2⤵
PID:5212

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RMActivate_ssp.exe"
3⤵
PID:5332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RMActivate_ssp.exe" /grant "everyone":(f)
3⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RMActivate_ssp_isv.exe"
2⤵
PID:4668

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RMActivate_ssp_isv.exe"
3⤵
PID:5960

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RMActivate_ssp_isv.exe" /grant "everyone":(f)
3⤵
PID:5344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RmClient.exe"
2⤵
PID:3696

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RmClient.exe"
3⤵
PID:4140

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RmClient.exe" /grant "everyone":(f)
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\Robocopy.exe"
2⤵
PID:5196

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\Robocopy.exe"
3⤵
PID:5052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\Robocopy.exe" /grant "everyone":(f)
3⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\ROUTE.EXE"
2⤵
PID:632

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ROUTE.EXE"
3⤵
PID:2108

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\ROUTE.EXE" /grant "everyone":(f)
3⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RpcPing.exe"
2⤵
PID:5844

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RpcPing.exe"
3⤵
PID:6140

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RpcPing.exe" /grant "everyone":(f)
3⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\rrinstaller.exe"
2⤵
PID:5820

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\rrinstaller.exe" /grant "everyone":(f)
3⤵
PID:5696

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\rrinstaller.exe"
3⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\runas.exe"
2⤵
PID:4128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\runas.exe"
3⤵
PID:908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\runas.exe" /grant "everyone":(f)
3⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:4900

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\rundll32.exe"
3⤵
PID:1484

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\rundll32.exe" /grant "everyone":(f)
3⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\RunLegacyCPLElevated.exe"
2⤵
PID:4300

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\RunLegacyCPLElevated.exe"
3⤵
PID:6044

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\RunLegacyCPLElevated.exe" /grant "everyone":(f)
3⤵
PID:5144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\runonce.exe"
2⤵
PID:4124

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\runonce.exe"
3⤵
PID:5568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\runonce.exe" /grant "everyone":(f)
3⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sc.exe"
2⤵
PID:2648

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sc.exe"
3⤵
PID:3464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sc.exe" /grant "everyone":(f)
3⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\schtasks.exe"
2⤵
PID:3972

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\schtasks.exe"
3⤵
PID:412

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\schtasks.exe" /grant "everyone":(f)
3⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sdbinst.exe"
2⤵
PID:3040

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sdbinst.exe"
3⤵
PID:1344

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sdbinst.exe" /grant "everyone":(f)
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sdchange.exe"
2⤵
PID:5460

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sdchange.exe"
3⤵
PID:5456

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sdchange.exe" /grant "everyone":(f)
3⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sdiagnhost.exe"
2⤵
PID:4292

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sdiagnhost.exe"
3⤵
PID:2780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sdiagnhost.exe" /grant "everyone":(f)
3⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SearchFilterHost.exe"
2⤵
PID:3796

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SearchFilterHost.exe"
3⤵
PID:2096

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SearchFilterHost.exe" /grant "everyone":(f)
3⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SearchIndexer.exe"
2⤵
PID:3916

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SearchIndexer.exe"
3⤵
PID:5404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SearchIndexer.exe" /grant "everyone":(f)
3⤵
PID:5352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SearchProtocolHost.exe"
2⤵
PID:5088

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SearchProtocolHost.exe"
3⤵
PID:5344

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SearchProtocolHost.exe" /grant "everyone":(f)
3⤵
PID:6044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SecEdit.exe"
2⤵
PID:3696

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SecEdit.exe"
3⤵
PID:1744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SecEdit.exe" /grant "everyone":(f)
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\secinit.exe"
2⤵
PID:3304

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\secinit.exe"
3⤵
PID:3444

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\secinit.exe" /grant "everyone":(f)
3⤵
PID:5168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sethc.exe"
2⤵
PID:3524

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sethc.exe"
3⤵
PID:5556

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sethc.exe" /grant "everyone":(f)
3⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SettingSyncHost.exe"
2⤵
PID:1236

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SettingSyncHost.exe"
3⤵
PID:5140

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SettingSyncHost.exe" /grant "everyone":(f)
3⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\setup16.exe"
2⤵
PID:5056

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\setup16.exe"
3⤵
PID:5452

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\setup16.exe" /grant "everyone":(f)
3⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\setupugc.exe"
2⤵
PID:3040

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\setupugc.exe"
3⤵
- Modifies file permissions
PID:5852

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\setupugc.exe" /grant "everyone":(f)
3⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\setx.exe"
2⤵
PID:5916

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\setx.exe"
3⤵
PID:2004

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\setx.exe" /grant "everyone":(f)
3⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sfc.exe"
2⤵
PID:5276

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sfc.exe"
3⤵
PID:5936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sfc.exe" /grant "everyone":(f)
3⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\shrpubw.exe"
2⤵
PID:3276

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\shrpubw.exe"
3⤵
PID:920

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\shrpubw.exe" /grant "everyone":(f)
3⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\shutdown.exe"
2⤵
PID:5352

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\shutdown.exe"
3⤵
PID:4320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\shutdown.exe" /grant "everyone":(f)
3⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SndVol.exe"
2⤵
PID:6044

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SndVol.exe"
3⤵
PID:3872

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SndVol.exe" /grant "everyone":(f)
3⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sort.exe"
2⤵
PID:1832

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sort.exe"
3⤵
PID:4328

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sort.exe" /grant "everyone":(f)
3⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe"
2⤵
PID:552

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe"
3⤵
PID:5500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe" /grant "everyone":(f)
3⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe"
2⤵
PID:5568

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe"
3⤵
PID:5132

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe" /grant "everyone":(f)
3⤵
PID:5252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\srdelayed.exe"
2⤵
PID:2108

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\srdelayed.exe"
3⤵
PID:1236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\srdelayed.exe" /grant "everyone":(f)
3⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\stordiag.exe"
2⤵
PID:4128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\stordiag.exe"
3⤵
PID:5588

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\stordiag.exe" /grant "everyone":(f)
3⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\subst.exe"
2⤵
PID:4408

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\subst.exe"
3⤵
PID:1232

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\subst.exe" /grant "everyone":(f)
3⤵
PID:5652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5776

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:5460

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\svchost.exe" /grant "everyone":(f)
3⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\sxstrace.exe"
2⤵
PID:1444

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sxstrace.exe"
3⤵
PID:3692

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sxstrace.exe" /grant "everyone":(f)
3⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SyncHost.exe"
2⤵
PID:520

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SyncHost.exe"
3⤵
PID:4516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SyncHost.exe" /grant "everyone":(f)
3⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\systeminfo.exe"
2⤵
PID:3528

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\systeminfo.exe"
3⤵
PID:6072

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\systeminfo.exe" /grant "everyone":(f)
3⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe"
2⤵
PID:3108

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe"
3⤵
PID:5980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe" /grant "everyone":(f)
3⤵
PID:5840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemPropertiesComputerName.exe"
2⤵
PID:2568

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemPropertiesComputerName.exe"
3⤵
PID:4688

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemPropertiesComputerName.exe" /grant "everyone":(f)
3⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe"
2⤵
PID:4968

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe"
3⤵
PID:3032

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe" /grant "everyone":(f)
3⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemPropertiesHardware.exe"
2⤵
PID:5252

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemPropertiesHardware.exe"
3⤵
PID:1236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemPropertiesHardware.exe" /grant "everyone":(f)
3⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemPropertiesPerformance.exe"
2⤵
PID:1872

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemPropertiesPerformance.exe"
3⤵
PID:4908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemPropertiesPerformance.exe" /grant "everyone":(f)
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemPropertiesProtection.exe"
2⤵
PID:5852

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemPropertiesProtection.exe"
3⤵
PID:4232

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemPropertiesProtection.exe" /grant "everyone":(f)
3⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemPropertiesRemote.exe"
2⤵
PID:2080

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemPropertiesRemote.exe"
3⤵
PID:5804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemPropertiesRemote.exe" /grant "everyone":(f)
3⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\SystemUWPLauncher.exe"
2⤵
PID:4636

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\SystemUWPLauncher.exe"
3⤵
PID:3088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\SystemUWPLauncher.exe" /grant "everyone":(f)
3⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\systray.exe"
2⤵
PID:5968

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\systray.exe"
3⤵
PID:5984

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\systray.exe" /grant "everyone":(f)
3⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\takeown.exe"
2⤵
PID:3400

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\takeown.exe"
3⤵
PID:4504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\takeown.exe" /grant "everyone":(f)
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TapiUnattend.exe"
2⤵
PID:6044

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TapiUnattend.exe"
3⤵
PID:4340

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TapiUnattend.exe" /grant "everyone":(f)
3⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\tar.exe"
2⤵
PID:4972

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\tar.exe"
3⤵
PID:5520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\tar.exe" /grant "everyone":(f)
3⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\taskkill.exe"
2⤵
PID:2464

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\taskkill.exe"
3⤵
PID:3820

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\taskkill.exe" /grant "everyone":(f)
3⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\tasklist.exe"
2⤵
PID:832

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\tasklist.exe"
3⤵
PID:5304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\tasklist.exe" /grant "everyone":(f)
3⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\Taskmgr.exe"
2⤵
PID:5568

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\Taskmgr.exe"
3⤵
PID:2696

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\Taskmgr.exe" /grant "everyone":(f)
3⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\tcmsetup.exe"
2⤵
PID:4248

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\tcmsetup.exe"
3⤵
PID:4232

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\tcmsetup.exe" /grant "everyone":(f)
3⤵
PID:5880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TCPSVCS.EXE"
2⤵
PID:5928

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TCPSVCS.EXE"
3⤵
PID:5804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TCPSVCS.EXE" /grant "everyone":(f)
3⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\ThumbnailExtractionHost.exe"
2⤵
PID:2888

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ThumbnailExtractionHost.exe"
3⤵
PID:5356

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\ThumbnailExtractionHost.exe" /grant "everyone":(f)
3⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\timeout.exe"
2⤵
PID:4864

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\timeout.exe"
3⤵
PID:3276

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\timeout.exe" /grant "everyone":(f)
3⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TokenBrokerCookies.exe"
2⤵
PID:4516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TokenBrokerCookies.exe"
3⤵
PID:5388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TokenBrokerCookies.exe" /grant "everyone":(f)
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TpmInit.exe"
2⤵
PID:4368

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TpmInit.exe"
3⤵
PID:216

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TpmInit.exe" /grant "everyone":(f)
3⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TpmTool.exe"
2⤵
PID:2728

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TpmTool.exe"
3⤵
PID:5592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TpmTool.exe" /grant "everyone":(f)
3⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\tracerpt.exe"
2⤵
PID:2428

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\tracerpt.exe"
3⤵
PID:756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\tracerpt.exe" /grant "everyone":(f)
3⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TRACERT.EXE"
2⤵
PID:5320

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TRACERT.EXE"
3⤵
PID:3996

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TRACERT.EXE" /grant "everyone":(f)
3⤵
PID:5424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TSTheme.exe"
2⤵
PID:1068

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TSTheme.exe"
3⤵
PID:5996

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TSTheme.exe" /grant "everyone":(f)
3⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\TsWpfWrp.exe"
2⤵
PID:2156

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\TsWpfWrp.exe"
3⤵
PID:2700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\TsWpfWrp.exe" /grant "everyone":(f)
3⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\ttdinject.exe"
2⤵
PID:5400

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ttdinject.exe"
3⤵
PID:5804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\ttdinject.exe" /grant "everyone":(f)
3⤵
PID:264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\tttracer.exe"
2⤵
PID:4828

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\tttracer.exe"
3⤵
PID:1460

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\tttracer.exe" /grant "everyone":(f)
3⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\typeperf.exe"
2⤵
PID:5908

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\typeperf.exe"
3⤵
PID:1228

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\typeperf.exe" /grant "everyone":(f)
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\tzutil.exe"
2⤵
PID:6048

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\tzutil.exe"
3⤵
PID:3452

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\tzutil.exe" /grant "everyone":(f)
3⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\unlodctr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\unlodctr.exe"
3⤵
PID:396

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\unlodctr.exe" /grant "everyone":(f)
3⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\unregmp2.exe"
2⤵
PID:3444

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\unregmp2.exe"
3⤵
PID:5708

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\unregmp2.exe" /grant "everyone":(f)
3⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\upnpcont.exe"
2⤵
PID:5980

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\upnpcont.exe"
3⤵
PID:5556

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\upnpcont.exe" /grant "everyone":(f)
3⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\user.exe"
2⤵
PID:5920

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\user.exe"
3⤵
PID:5052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\user.exe" /grant "everyone":(f)
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\UserAccountBroker.exe"
2⤵
PID:4768

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\UserAccountBroker.exe"
3⤵
PID:3752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\UserAccountBroker.exe" /grant "everyone":(f)
3⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\UserAccountControlSettings.exe"
2⤵
PID:1992

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\UserAccountControlSettings.exe"
3⤵
PID:4396

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\UserAccountControlSettings.exe" /grant "everyone":(f)
3⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\userinit.exe"
2⤵
PID:4960

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\userinit.exe"
3⤵
PID:5768

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\userinit.exe" /grant "everyone":(f)
3⤵
PID:5888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\Utilman.exe"
2⤵
PID:4636

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\Utilman.exe"
3⤵
PID:2652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\Utilman.exe" /grant "everyone":(f)
3⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\verclsid.exe"
2⤵
PID:1564

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\verclsid.exe"
3⤵
PID:1812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\verclsid.exe" /grant "everyone":(f)
3⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\verifiergui.exe"
2⤵
PID:5384

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\verifiergui.exe"
3⤵
PID:4836

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\verifiergui.exe" /grant "everyone":(f)
3⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\w32tm.exe"
2⤵
PID:1348

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\w32tm.exe"
3⤵
PID:2728

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\w32tm.exe" /grant "everyone":(f)
3⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\waitfor.exe"
2⤵
PID:3812

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\waitfor.exe"
3⤵
PID:5884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\waitfor.exe" /grant "everyone":(f)
3⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wbem\mofcomp.exe"
2⤵
PID:2568

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wbem\mofcomp.exe"
3⤵
PID:5744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wbem\mofcomp.exe" /grant "everyone":(f)
3⤵
PID:6140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wbem\WinMgmt.exe"
2⤵
PID:6052

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wbem\WinMgmt.exe"
3⤵
PID:5200

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wbem\WinMgmt.exe" /grant "everyone":(f)
3⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wbem\WMIADAP.exe"
2⤵
PID:5172

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wbem\WMIADAP.exe"
3⤵
PID:2696

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wbem\WMIADAP.exe" /grant "everyone":(f)
3⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wbem\WMIC.exe"
2⤵
PID:5804

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wbem\WMIC.exe"
3⤵
PID:4128

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wbem\WMIC.exe" /grant "everyone":(f)
3⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe"
2⤵
PID:452

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe"
3⤵
PID:5648

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe" /grant "everyone":(f)
3⤵
PID:5440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wecutil.exe"
2⤵
PID:6064

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wecutil.exe"
3⤵
PID:3088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wecutil.exe" /grant "everyone":(f)
3⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WerFault.exe"
2⤵
PID:1004

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:4484

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\WerFault.exe" /grant "everyone":(f)
3⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WerFaultSecure.exe"
2⤵
PID:4836

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\WerFaultSecure.exe"
3⤵
PID:6048

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\WerFaultSecure.exe" /grant "everyone":(f)
3⤵
PID:5708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wermgr.exe"
2⤵
PID:2912

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wermgr.exe"
3⤵
PID:5352

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wermgr.exe" /grant "everyone":(f)
3⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wevtutil.exe"
2⤵
PID:2252

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wevtutil.exe"
3⤵
PID:5656

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wevtutil.exe" /grant "everyone":(f)
3⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wextract.exe"
2⤵
PID:4992

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wextract.exe"
3⤵
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wextract.exe" /grant "everyone":(f)
3⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\where.exe"
2⤵
PID:4228

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\where.exe"
3⤵
PID:5280

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\where.exe" /grant "everyone":(f)
3⤵
PID:5252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\whoami.exe"
2⤵
PID:4888

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\whoami.exe"
3⤵
PID:5172

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\whoami.exe" /grant "everyone":(f)
3⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wiaacmgr.exe"
2⤵
PID:4248

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wiaacmgr.exe"
3⤵
PID:5928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wiaacmgr.exe" /grant "everyone":(f)
3⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe"
2⤵
PID:5684

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe"
3⤵
PID:5248

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe" /grant "everyone":(f)
3⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\Windows.WARP.JITService.exe"
2⤵
PID:2084

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\Windows.WARP.JITService.exe"
3⤵
PID:4060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\Windows.WARP.JITService.exe" /grant "everyone":(f)
3⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
2⤵
PID:1812

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
3⤵
PID:5404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /grant "everyone":(f)
3⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
PID:6068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\winrs.exe"
2⤵
PID:3436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\winrs.exe" /grant "everyone":(f)
3⤵
PID:5500

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\winrs.exe"
3⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\winrshost.exe"
2⤵
PID:636

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\winrshost.exe"
3⤵
PID:3304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\winrshost.exe" /grant "everyone":(f)
3⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe"
2⤵
PID:5492

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe"
3⤵
PID:672

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe" /grant "everyone":(f)
3⤵
PID:5124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\winver.exe"
2⤵
PID:4176

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\winver.exe"
3⤵
PID:5900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\winver.exe" /grant "everyone":(f)
3⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:6004

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wlanext.exe"
3⤵
PID:4480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wlanext.exe" /grant "everyone":(f)
3⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wowreg32.exe"
2⤵
PID:4128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wowreg32.exe"
3⤵
PID:5940

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wowreg32.exe" /grant "everyone":(f)
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WPDShextAutoplay.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\WPDShextAutoplay.exe"
3⤵
PID:2284

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\WPDShextAutoplay.exe" /grant "everyone":(f)
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\write.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\write.exe"
3⤵
PID:5912

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\write.exe" /grant "everyone":(f)
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wscadminui.exe"
2⤵
- Loads dropped DLL
PID:5516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wscadminui.exe"
3⤵
PID:5748

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wscadminui.exe" /grant "everyone":(f)
3⤵
PID:5896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:876

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wscript.exe"
3⤵
PID:3468

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wscript.exe" /grant "everyone":(f)
3⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WSManHTTPConfig.exe"
2⤵
PID:5560

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\WSManHTTPConfig.exe"
3⤵
PID:5224

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\WSManHTTPConfig.exe" /grant "everyone":(f)
3⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wsmprovhost.exe"
2⤵
PID:5056

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wsmprovhost.exe"
3⤵
PID:1972

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wsmprovhost.exe" /grant "everyone":(f)
3⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\wusa.exe"
2⤵
PID:4120

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\wusa.exe"
3⤵
PID:2464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\wusa.exe" /grant "everyone":(f)
3⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:400

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\WWAHost.exe"
3⤵
PID:5052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\WWAHost.exe" /grant "everyone":(f)
3⤵
PID:5900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\xcopy.exe"
2⤵
PID:2204

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\xcopy.exe"
3⤵
PID:5140

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\xcopy.exe" /grant "everyone":(f)
3⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\SysWOW64\xwizard.exe"
2⤵
PID:5460

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\xwizard.exe"
3⤵
PID:5804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\xwizard.exe" /grant "everyone":(f)
3⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winhlp32.exe"
2⤵
PID:5400

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winhlp32.exe"
3⤵
PID:5248

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winhlp32.exe" /grant "everyone":(f)
3⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe"
2⤵
PID:4808

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe"
3⤵
PID:4636

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe" /grant "everyone":(f)
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_4.0.15805.0_none_faee98a3c711fae7\AddInProcess32.exe"
2⤵
PID:2096

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_4.0.15805.0_none_faee98a3c711fae7\AddInProcess32.exe"
3⤵
PID:4500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_4.0.15805.0_none_faee98a3c711fae7\AddInProcess32.exe" /grant "everyone":(f)
3⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_addinprocess_b77a5c561934e089_4.0.15805.0_none_74baba51266f3010\AddInProcess.exe"
2⤵
PID:4504

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_addinprocess_b77a5c561934e089_4.0.15805.0_none_74baba51266f3010\AddInProcess.exe"
3⤵
PID:3572

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_addinprocess_b77a5c561934e089_4.0.15805.0_none_74baba51266f3010\AddInProcess.exe" /grant "everyone":(f)
3⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_addinutil_b77a5c561934e089_4.0.15805.0_none_fcd173bc1b434b81\AddInUtil.exe"
2⤵
PID:3620

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_addinutil_b77a5c561934e089_4.0.15805.0_none_fcd173bc1b434b81\AddInUtil.exe"
3⤵
PID:3916

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_addinutil_b77a5c561934e089_4.0.15805.0_none_fcd173bc1b434b81\AddInUtil.exe" /grant "everyone":(f)
3⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_e190f18a08ed1a44\FlashUtil_ActiveX.exe"
2⤵
PID:404

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_e190f18a08ed1a44\FlashUtil_ActiveX.exe"
3⤵
PID:4936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_e190f18a08ed1a44\FlashUtil_ActiveX.exe" /grant "everyone":(f)
3⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.82_none_2358a116979cc599\FlashUtil_ActiveX.exe"
2⤵
PID:5396

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.82_none_2358a116979cc599\FlashUtil_ActiveX.exe"
3⤵
PID:3980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.82_none_2358a116979cc599\FlashUtil_ActiveX.exe" /grant "everyone":(f)
3⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe"
2⤵
PID:5104

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe"
3⤵
PID:5980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe" /grant "everyone":(f)
3⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_4.0.15805.0_none_73cc8b3e43ba1056\aspnet_compiler.exe"
2⤵
PID:5332

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_4.0.15805.0_none_73cc8b3e43ba1056\aspnet_compiler.exe"
3⤵
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_4.0.15805.0_none_73cc8b3e43ba1056\aspnet_compiler.exe" /grant "everyone":(f)
3⤵
PID:5200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_82a36c559596820a\aspnet_regbrowsers.exe"
2⤵
PID:5208

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_82a36c559596820a\aspnet_regbrowsers.exe"
3⤵
PID:5172

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_82a36c559596820a\aspnet_regbrowsers.exe" /grant "everyone":(f)
3⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_646d7347043be71c\aspnet_regbrowsers.exe"
2⤵
PID:5424

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_646d7347043be71c\aspnet_regbrowsers.exe"
3⤵
PID:5880

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_646d7347043be71c\aspnet_regbrowsers.exe" /grant "everyone":(f)
3⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_10.0.19041.1_none_c9157ddc38b83b1b\aspnet_regsql.exe"
2⤵
PID:3664

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_10.0.19041.1_none_c9157ddc38b83b1b\aspnet_regsql.exe" /grant "everyone":(f)
3⤵
PID:3088

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_10.0.19041.1_none_c9157ddc38b83b1b\aspnet_regsql.exe"
3⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_4.0.15805.0_none_aadf84cda75da02d\aspnet_regsql.exe"
2⤵
PID:5584

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_4.0.15805.0_none_aadf84cda75da02d\aspnet_regsql.exe"
3⤵
PID:5316

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_4.0.15805.0_none_aadf84cda75da02d\aspnet_regsql.exe" /grant "everyone":(f)
3⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_bsdtar_31bf3856ad364e35_10.0.19041.1_none_0c1f19c50b5e5f6e\tar.exe"
2⤵
PID:396

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_bsdtar_31bf3856ad364e35_10.0.19041.1_none_0c1f19c50b5e5f6e\tar.exe"
3⤵
PID:4752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_bsdtar_31bf3856ad364e35_10.0.19041.1_none_0c1f19c50b5e5f6e\tar.exe" /grant "everyone":(f)
3⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\CasPol.exe"
2⤵
PID:3468

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\CasPol.exe"
3⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_c6dc1994db088235\CasPol.exe"
2⤵
PID:5080

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_c6dc1994db088235\CasPol.exe"
3⤵
PID:5224

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_c6dc1994db088235\CasPol.exe" /grant "everyone":(f)
3⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe"
2⤵
PID:4392

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe"
3⤵
PID:5548

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_curl_31bf3856ad364e35_10.0.19041.1_none_345cbd92bc885eba\curl.exe"
2⤵
PID:1544

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_curl_31bf3856ad364e35_10.0.19041.1_none_345cbd92bc885eba\curl.exe"
3⤵
PID:5396

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_curl_31bf3856ad364e35_10.0.19041.1_none_345cbd92bc885eba\curl.exe" /grant "everyone":(f)
3⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_datasvcutil_b77a5c561934e089_4.0.15805.0_none_5b1ada239e3b0505\DataSvcUtil.exe"
2⤵
PID:2700

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_datasvcutil_b77a5c561934e089_4.0.15805.0_none_5b1ada239e3b0505\DataSvcUtil.exe"
3⤵
PID:1236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_datasvcutil_b77a5c561934e089_4.0.15805.0_none_5b1ada239e3b0505\DataSvcUtil.exe" /grant "everyone":(f)
3⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_dfsvc_b03f5f7f11d50a3a_4.0.15805.0_none_c0d2d1227427864f\dfsvc.exe"
2⤵
PID:5164

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_dfsvc_b03f5f7f11d50a3a_4.0.15805.0_none_c0d2d1227427864f\dfsvc.exe"
3⤵
PID:5480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_dfsvc_b03f5f7f11d50a3a_4.0.15805.0_none_c0d2d1227427864f\dfsvc.exe" /grant "everyone":(f)
3⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe"
2⤵
PID:5256

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe"
3⤵
PID:3088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe" /grant "everyone":(f)
3⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.19041.1_none_aae8e58aa310aa7d\eventvwr.exe"
2⤵
PID:3692

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.19041.1_none_aae8e58aa310aa7d\eventvwr.exe"
3⤵
PID:2028

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.19041.1_none_aae8e58aa310aa7d\eventvwr.exe" /grant "everyone":(f)
3⤵
PID:5748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.1_none_e2f75fda217d5015\hvc.exe"
2⤵
PID:3036

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.1_none_e2f75fda217d5015\hvc.exe"
3⤵
PID:3136

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.1_none_e2f75fda217d5015\hvc.exe" /grant "everyone":(f)
3⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\f\hvc.exe"
2⤵
PID:2232

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\f\hvc.exe"
3⤵
PID:2912

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\f\hvc.exe" /grant "everyone":(f)
3⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\hvc.exe"
2⤵
PID:5216

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\hvc.exe"
3⤵
PID:5960

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\hvc.exe" /grant "everyone":(f)
3⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\hvc.exe"
2⤵
PID:5384

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\hvc.exe"
3⤵
PID:1348

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
PID:3604

C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
2⤵
PID:3820

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
3⤵
PID:3536

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
2⤵
PID:3752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
3⤵
- Kills process with taskkill
PID:3596

C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
3⤵
PID:1860

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
3⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
2⤵
PID:6052

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
3⤵
PID:2648

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
2⤵
PID:2308

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
3⤵
PID:2196

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
PID:384

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
3⤵
PID:4140

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
3⤵
PID:3596

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
3⤵
PID:5168

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
3⤵
PID:4968

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
3⤵
PID:4348

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
3⤵
PID:5180

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
3⤵
PID:632

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
3⤵
PID:2196

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"
2⤵
PID:2280

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"
3⤵
PID:636

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe" /grant "everyone":(f)
3⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
2⤵
PID:3820

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
3⤵
PID:1236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)
3⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
2⤵
PID:5316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
2⤵
PID:3732

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
3⤵
PID:3844

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)
3⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\bfsvc.exe"
2⤵
PID:2864

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\bfsvc.exe"
3⤵
PID:436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\bfsvc.exe" /grant "everyone":(f)
3⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
PID:2464

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
3⤵
PID:2684

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
3⤵
PID:5484

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
2⤵
PID:832

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
3⤵
PID:440

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" /grant "everyone":(f)
3⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Boot\PCAT\memtest.exe"
2⤵
PID:5132

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Boot\PCAT\memtest.exe"
3⤵
PID:5332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Boot\PCAT\memtest.exe" /grant "everyone":(f)
3⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"
2⤵
PID:5920

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\explorer.exe"
3⤵
PID:5180

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\explorer.exe" /grant "everyone":(f)
3⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"
2⤵
PID:3844

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\HelpPane.exe"
3⤵
PID:5480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"
2⤵
PID:6140

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\hh.exe"
3⤵
PID:5684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\hh.exe" /grant "everyone":(f)
3⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
2⤵
PID:5852

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
3⤵
PID:5440

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" /grant "everyone":(f)
3⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
2⤵
PID:3632

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
3⤵
PID:5776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)
3⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
2⤵
PID:2652

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
3⤵
PID:2084

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)
3⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
2⤵
PID:2792

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
3⤵
PID:4504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)
3⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
2⤵
PID:1664

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
3⤵
PID:3500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)
3⤵
PID:5516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
2⤵
PID:5592

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
3⤵
PID:5484

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)
3⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
2⤵
PID:5856

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
3⤵
PID:5708

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)
3⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
2⤵
PID:4384

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
3⤵
PID:5500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)
3⤵
PID:5820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
2⤵
PID:4248

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
3⤵
PID:3820

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)
3⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
2⤵
PID:5208

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
3⤵
PID:400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe" /grant "everyone":(f)
3⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
2⤵
PID:6132

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
3⤵
PID:5588

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe" /grant "everyone":(f)
3⤵
PID:5436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
2⤵
PID:5672

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
3⤵
PID:5400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe" /grant "everyone":(f)
3⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
2⤵
PID:5416

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
3⤵
PID:5576

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe" /grant "everyone":(f)
3⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
2⤵
PID:2176

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
3⤵
PID:5060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
2⤵
PID:3788

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
3⤵
PID:4808

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
2⤵
PID:3492

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
3⤵
PID:2684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
2⤵
PID:756

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
3⤵
PID:5564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)
3⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
2⤵
PID:516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
3⤵
PID:5184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
3⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
2⤵
PID:3980

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
3⤵
PID:5992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)
3⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
2⤵
PID:5172

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
3⤵
PID:4888

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)
3⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
2⤵
PID:5208

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
3⤵
PID:4908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)
3⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:2152

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:5400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
3⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
2⤵
PID:4032

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
3⤵
PID:5448

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
3⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
2⤵
PID:5416

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
3⤵
PID:5276

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
2⤵
PID:2176

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
3⤵
PID:2096

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
2⤵
PID:1144

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
3⤵
PID:3400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
3⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
2⤵
PID:5088

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
3⤵
PID:3872

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
2⤵
PID:5148

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
3⤵
PID:5520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
2⤵
PID:5124

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
3⤵
PID:4260

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)
3⤵
PID:5168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
2⤵
PID:2316

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
3⤵
PID:2204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)
3⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
2⤵
PID:2696

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
PID:5172

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)
3⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
2⤵
PID:4128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
3⤵
PID:1484

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
3⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
2⤵
PID:5684

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
3⤵
PID:1820

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)
3⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
2⤵
PID:4484

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
3⤵
PID:2084

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)
3⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
2⤵
PID:2004

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
3⤵
PID:4552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)
3⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
2⤵
PID:1836

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
3⤵
PID:3928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
3⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
2⤵
PID:5344

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
3⤵
PID:5176

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
2⤵
PID:4440

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
PID:5660

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
2⤵
PID:756

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
3⤵
PID:1832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
3⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
2⤵
PID:5696

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
3⤵
PID:2600

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)
3⤵
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:5996

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
3⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
PID:4404

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:2928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
3⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:4128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:5400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)
3⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
2⤵
PID:6112

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
3⤵
PID:704

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
2⤵
PID:5060

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
3⤵
PID:3228

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
3⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
2⤵
PID:5984

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
3⤵
PID:5384

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
3⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
2⤵
PID:3928

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
3⤵
PID:5516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
2⤵
PID:3492

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
3⤵
PID:5068

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
3⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
2⤵
PID:5980

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
3⤵
PID:1744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
3⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
2⤵
PID:5744

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
3⤵
PID:4776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)
3⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
2⤵
PID:2280

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
3⤵
PID:672

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)
3⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
2⤵
PID:5048

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
3⤵
PID:5428

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)
3⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
2⤵
PID:5476

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
3⤵
PID:1992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)
3⤵
PID:5880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
2⤵
PID:4292

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
3⤵
PID:2080

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
3⤵
PID:5684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
2⤵
PID:2084

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
3⤵
PID:5356

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)
3⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
2⤵
PID:4716

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
3⤵
PID:520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:6028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
2⤵
PID:5752

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
3⤵
PID:5388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)
3⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
2⤵
PID:3356

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
3⤵
PID:5088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)
3⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
2⤵
PID:5000

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
3⤵
PID:1656

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
3⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:908

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:460

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
3⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
2⤵
PID:516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
3⤵
PID:5132

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:5280

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2316

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
3⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:736

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:5568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
3⤵
PID:5480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:6020

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:5652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
3⤵
PID:5916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:4408

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:5544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
3⤵
PID:5712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:4060

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:1576

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
3⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
2⤵
PID:5968

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
3⤵
PID:5908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
3⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
2⤵
PID:5984

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:5404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
3⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
PID:2932

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:3356

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)
3⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:5056

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:1860

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:5820

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:444

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)
3⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:5184

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:5992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)
3⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:2316

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:5844

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
3⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
2⤵
PID:2804

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
3⤵
PID:1344

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
3⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
2⤵
PID:3720

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
3⤵
PID:5928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
3⤵
PID:5460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
2⤵
PID:1232

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
3⤵
PID:5448

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)
3⤵
PID:5888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:4872

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:2780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
3⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
PID:2372

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:4072

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:2212

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:5752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
3⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:5960

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:5520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
2⤵
PID:4508

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
3⤵
PID:5504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
3⤵
PID:5564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
2⤵
PID:1832

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
3⤵
PID:3980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)
3⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:5320

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:5492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)
3⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1068

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2108

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
3⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3548

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
3⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:5036

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:5652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
3⤵
PID:5356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
2⤵
PID:6020

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
3⤵
PID:4332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
3⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2652

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)
3⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
2⤵
PID:5688

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
3⤵
PID:1260

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
3⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
2⤵
PID:5968

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
3⤵
PID:5088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
3⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
2⤵
PID:1416

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
3⤵
PID:1848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
3⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
2⤵
PID:5396

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
3⤵
PID:5156

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
3⤵
PID:5820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
2⤵
PID:5884

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
3⤵
PID:5104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
3⤵
PID:5676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
2⤵
PID:5304

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
3⤵
PID:2496

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
2⤵
PID:1012

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
3⤵
PID:2204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
3⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
2⤵
PID:3972

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
3⤵
PID:2152

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)
3⤵
PID:6132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
2⤵
PID:5476

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
3⤵
PID:4248

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)
3⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
2⤵
PID:2248

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
3⤵
PID:5936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)
3⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
2⤵
PID:4552

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
3⤵
PID:4828

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
3⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
2⤵
PID:5404

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)
3⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
2⤵
PID:536

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
3⤵
PID:4100

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)
3⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
2⤵
PID:3620

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
3⤵
PID:3876

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)
3⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
2⤵
PID:4392

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
3⤵
PID:1444

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
3⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
2⤵
PID:1064

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
3⤵
PID:3356

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
2⤵
PID:460

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
3⤵
PID:2728

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)
3⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
2⤵
PID:5980

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
3⤵
PID:3884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
2⤵
PID:5492

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
3⤵
PID:4992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
3⤵
PID:5188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
2⤵
PID:552

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
3⤵
PID:5164

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
2⤵
PID:2928

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
3⤵
PID:6132

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
3⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
2⤵
PID:4448

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
3⤵
PID:5928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
3⤵
PID:5684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
2⤵
PID:5908

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
3⤵
PID:2028

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)
3⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
2⤵
PID:952

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
3⤵
PID:3500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
PID:5316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
2⤵
PID:700

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
3⤵
PID:3136

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
3⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
2⤵
PID:2232

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
3⤵
PID:3508

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
3⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
2⤵
PID:3496

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
3⤵
PID:3380

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
3⤵
PID:5216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
2⤵
PID:4440

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
3⤵
PID:3436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
3⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
2⤵
PID:1544

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
3⤵
PID:5000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
2⤵
PID:5556

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
3⤵
PID:5812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
3⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
3⤵
PID:5304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)
3⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
2⤵
PID:5992

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
3⤵
PID:4780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)
3⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
2⤵
PID:4480

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
3⤵
PID:5452

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)
3⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
2⤵
PID:436

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
3⤵
PID:4404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)
3⤵
PID:6060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
2⤵
PID:5888

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
3⤵
PID:4900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
3⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
2⤵
PID:4320

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
3⤵
PID:2212

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)
3⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
2⤵
PID:2896

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
3⤵
PID:5408

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)
3⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
2⤵
PID:3632

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
3⤵
PID:4268

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
2⤵
PID:3876

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
3⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
2⤵
PID:4504

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:3380

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
3⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
PID:876

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:3900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
3⤵
PID:5412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:2032

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:1348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
3⤵
PID:5564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:2600

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
3⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:5884

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:2636

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
3⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:5124

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:1256

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
3⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:5920

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:5252

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
3⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:2396

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:3720

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
3⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:1344

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:5476

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
3⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:5932

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:4248

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:4448

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)
3⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:5400

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:4516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
2⤵
PID:4864

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:4148

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)
3⤵
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:2896

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:4716

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)
3⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:3760

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:3860

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
3⤵
PID:5700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:3336

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:3564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
3⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:1496

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:4368

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
3⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:1744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)
1⤵
PID:4152

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
1⤵
PID:5428

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x49c
1⤵
PID:5128

C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe
"C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
Filesize
530B

MD5
a7c936ff9df636a433ec4a4a05b14d72

SHA1
9dea8ad840be302333fde52f11f7d4c305a5598b

SHA256
a22965e591f64083bc8c743a6d1ad425dc455b9b8d7606597e338cb06db1bb83

SHA512
0dfec83e98b9bf3f3b2fbef95f41d4b26d1e2cf710a0441eb24a3dd5c95850b0ff7301c2b0a2ab0017e048e4ec8ee183ebfdb84827e576ac9790f370da70fa3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5qy8zhw\imagestore.dat
Filesize
38KB

MD5
de333647d0033bec2561969bea437c00

SHA1
d0787c1c7196352f51e0a61cb5fd4bea614fac47

SHA256
c5ddbc2cb0e5b88e462bb07a396b713bf0cfe0e7e5363f51e69285e097bc710d

SHA512
6faaeb45b47070b2daf0ffd157029e469b6d9bae82fb52cbdebb3a4454236e7d9dfe844010909dbdfe1092bac547940dcaa5a5b65b2caac12556efad2a088e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
64KB

MD5
fc240c081ec382df4b74d591d7d37a45

SHA1
396e9d8accb2ff8b32e6c3957808cb87d23ad47c

SHA256
8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038

SHA512
d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
1024KB

MD5
b1c7dc1032a1ba9a2c07a140e4082064

SHA1
a8ff7d38bb6e086f21d1a3dd086780f1e29976c0

SHA256
00ab2051e91b5883f7977c69e3adb1750a9fe6b8371c71729ed95fadbae70c07

SHA512
115c556b3784fcfe899e37a183d99995ec2dd16a47e972a387903d8a1f492d8d5c8970d624228df42ad40850268c63372ff90ba6375a03df3c674dcbff7bdf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G63C5RNT\favicon[1].ico
Filesize
37KB

MD5
231913fdebabcbe65f4b0052372bde56

SHA1
553909d080e4f210b64dc73292f3a111d5a0781f

SHA256
9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad

SHA512
7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G63C5RNT\favicon[1].ico
Filesize
37KB

MD5
231913fdebabcbe65f4b0052372bde56

SHA1
553909d080e4f210b64dc73292f3a111d5a0781f

SHA256
9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad

SHA512
7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\activity-stream.discovery_stream.json.tmp
Filesize
158KB

MD5
a92d2774fb2280846c7b6444031c9f22

SHA1
226995e94e9799365cd4d9e1301b59ec899ac8b1

SHA256
226577a3f381a0456bbb19c607461b854b703c592a5345a23de88432dc3ae9e5

SHA512
f5474d4065fbb8e82890935ab0f660b2a6baa06c6e8cb24d518518c27c48fbc5e89b6f62ccde601cfb055877217c80b46ec6304014d0dfff72ffa57ca20fd2f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\12700
Filesize
20KB

MD5
c828ee5be0f841197253137a3ddf96e3

SHA1
af66fe5a3954323ac3728cb0975e9aec7e121059

SHA256
19b6fbd5b5537dc681127367a991b649c490222702fad2bf7fc373c5ea31c3ac

SHA512
8a9cf9bf2417f9a161a8234e12c3f55c7fe8a77129c6150f534ec73b5b8bf1b3bea4f8842896f31db1ca3733192da701c9f29a1b310790850adb2ab02f69ee1f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\13769
Filesize
15KB

MD5
61b2d9da6d827fed168f0cc378b930d6

SHA1
1378997e38c5d1765cb452be2eec8054644d68b8

SHA256
811e658859558843523038e3d436d2c9d3dbbf26a5218ab3bd27f9ae897c133f

SHA512
3f2112166b2da45cd243d1e45b2f2a96c3afcf809ef79f9cf5696158c32d2a2ed5ebd6612a05c6d6b823f54e95ac093bb5983d8d6b5ce025d6d15b4c1bf59363

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\1382
Filesize
20KB

MD5
ec738040dae4392524a466af0317a2fb

SHA1
0a52b79620629a9bc3e02a5ae52ed4fce0bc4da6

SHA256
f92a101e3b4e5549b2968c426430ad94a0a11d4da5c62988f2d58238d580c419

SHA512
31edcdcaf3f7ba2cb17aa1995c459ccd14edc9988520edc6729b7aafecb4c960a38ebda612da36df1f96f9cd09592f448125fe4334db5f5bc9fcbd5ca2f02e87

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\15254
Filesize
15KB

MD5
fe8c9cc12464e8af8e504baa0b2d4c62

SHA1
651a9ef4acddef11a208a468e744678241ac6fc7

SHA256
c9477f4c8f5b8f394cdf667c0d3d555230f180d3674f64cef09cdb386c89a012

SHA512
747b802a608e24c7330f8c04d5f001af91650e6fedfd231f01e5885b4f2a0fc326856c98acccf1d27d5a83d3974226d6a61ce70fe3161a98f40d93ddaef7ae6a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\16728
Filesize
15KB

MD5
754e1db305ef42c1af1b04cf110910f9

SHA1
9da1e99428e855690ac751f7e379edf73dec31eb

SHA256
38c1da7ba1e3b9ba0b18aaf04b9c9b61612694b7d86546599db9c1197f1f84fa

SHA512
9e4d018978c8b04db22f0efc1810947b2741c60e58bd8975f7028fab87fe8d0c9e5bebce2c2a3478f7dbc5de38c4f7c115a0a19b21bfefd65a829c0cb927b1a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\18109
Filesize
15KB

MD5
f86e9f45e0dfe7a329c632218ad2c01c

SHA1
b57432defef063330e4d7d7836f6c6b7a2408951

SHA256
b37aa8bd0ae299f5c1c01ed4b2e9f1ad87062eb7668d3607a24bdd691e7311b7

SHA512
19420df4889de4a2861cf5f7c84613ad672b1d6b328fe1f24a5b7c8ab1caf746a5d2f9d1a8b4adb8b3e4222426d2c04965c2a5fd7e60f82fcae3653036d61e77

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\18538
Filesize
12KB

MD5
41aac38535f95300c5d6e80b4a813e31

SHA1
00a5bba65fdce024ed2ae00f1a98a6755283b5ba

SHA256
da4b6ed8e275926a1f9fb813c8004ec6624456b18910974d1b60faecb64cafec

SHA512
8f4aad13c3c58b76b395707dc522396ffcf723a7bca23817378a040c273af9ca0edb14dbd33a7d9e01fa29f925f1abe55f39da479013f45d4213cca302d2dbe3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\19293
Filesize
15KB

MD5
a54fec99f003da3713d86dbbdbfdbc4b

SHA1
39bc15acd08204415c45d5ec6af4ac63a3248e86

SHA256
160f53576bd5e71c0cc1774fd3cd4f9558770b529de34b701e23505b15481366

SHA512
cd24ea9344fc76ee6a248f03e018473f95d198ea710cc4a06773df4e28ae92b7139abc6b5e3faf7844fc0cf732e6c57f8335dea09f41d272e69c3deba553ee98

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\23007
Filesize
15KB

MD5
89921eee5291ff212ce9829846fcf591

SHA1
1885e6e39ca20699a9ef826418e68c9eb68c040e

SHA256
8a3f59108ec6bff1d1892949e42d4cf5d03cf06ab540e0036160137fb4e231af

SHA512
826d95bf0c407c512beb175ff59284c47d68d114f2f911b6fc6c2076ece56c2cefa4dccf64be54a192526b03ed175d171f3d4b8a367298208dc911e4ad598ee1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\23596
Filesize
15KB

MD5
0e3081683f7785716ae2b13db2045645

SHA1
b77d4babaa699be5697499726e9282c7fb37ee0b

SHA256
f075e242b04b9d24b990b8a3d9772e167b9070297e65c42bf6322f22e167cc7a

SHA512
5f3434f5e8330d1587de45a8febf2dbe862de0c08317b34ec9ac9a1bc96d0ff952243d1579d37730ee1a3ce42078e65a5404bc3ddcfc6c81988eb247bc69a000

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\25550
Filesize
16KB

MD5
0b22fc0a8188fd6df21e235d34d3414d

SHA1
5ca9bb1032a0b70b9e9baceb1082c00ab09cea6c

SHA256
371d30a3b9b6338e76f54ab139043b50f0f4ca3c6e4883f9ac23c1f99b6e82c1

SHA512
fcca5ed3329663be44806b76613c18dc009c74f0a56c6311577bbb5d783c6a978d37a3b32ab4f68e6af2fbbd811dcb119e2e4c33ff4f8777bd0e337fe0195887

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\25590
Filesize
12KB

MD5
29a8459ce78a6e5fd16dbf045f46d822

SHA1
1bae38bd2716986e32b78ced68b05811ba6d518c

SHA256
5adda97144d74abbcd62466f04733d1d7f1b52983422de19438283ee1479104e

SHA512
8b6f214b67eb5a3ab62c59286700b5805252bcbc82651abd4516d23ca8f0c96db8bef71e3b274b08fc717df97e4f8ce837dfb0c4f11bf801a7ab5da9edc1cf6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\29148
Filesize
15KB

MD5
e0f5a3533c379df36605b2f719a6a9b2

SHA1
8d8fdc761f62e759376d31bdd1e8a125d87d3142

SHA256
3d49871f879a7408332a581cf4a9f5674890faf87132df533f01830371b409c8

SHA512
95b116cce6cba87144d2a1dc201fe6c6eaf5e1136fb92d3bad4254a63385393e35f1e38fa12c46bb4c06e6da3d5e612dc84cce6ac4e3db6dfc1fdf0d79c878d9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\30846
Filesize
15KB

MD5
16a168a81219fcc89ba614c6d5de8bf8

SHA1
4a5cfd763181841e37a1a353cd0ea9743eae7230

SHA256
0ee4c973be2436c4d8a37469e9a987c234a01af73ad12d11f35cad1eabc7f73c

SHA512
d2e2da2152ae80051b379239adfd18da91e1316900da2e56c65ec4450aeaf61454f87ae8cc86f57c99684aaed7e52d98e09736d566d1ef7918afe1deb54eae32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\3301
Filesize
20KB

MD5
494a04929f77eaae3d454f37d9b7876c

SHA1
08ea11fd0261da6704cc447a4e0b6c64134f2a17

SHA256
90194ce45b6d287243cb5dc3331e8a75c45677657861de0311d6a1b59bce89cb

SHA512
c95707e13827aa7773123f756c394a7772e265b4cc77d7ec41d4f19440c2a33a94a76bae7217b1ea5b358c9b75cef4245fbff2679e3400f007f15c81d10aecb9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\3778
Filesize
20KB

MD5
6d2015b23c4c262400f7212b84b6abf3

SHA1
862d926741096e1222ab3b437a1039a1a1889d6a

SHA256
8b2999ce4ee4478200b110795f27fc8086055f4610d0b5ec6a19b62bed32e6c1

SHA512
721b660394ea3d61b9c92ec978d3e3ff5d85e70d1bba17b52e04359c1b8631ed308a6a9808672e4073cff065c2624e5de29e36555a65b3a42215f3d759e1dc0b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\5386
Filesize
12KB

MD5
533dcce6c4b430088871c4088c97e713

SHA1
9515b617b700e9a30351a2639c4689ba11607161

SHA256
49a5f41e72b556e9a32c125ca7fbde5d6101ab300589d9598d5dee64ee029473

SHA512
6c50573d5cc9a78641b070af6d5f5f080e3a568d379315d10903cd07ed5906ad07e0b6f95f5aa07b56a1a5c9aa7ec75f9ef5c3985e0a8e56fb85f6c2e1c6b225

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\5903
Filesize
16KB

MD5
b4cd3df20c7c21599e683260b99c7420

SHA1
b2a4ce2c0697d714bc82d45d3fda7362aaf20744

SHA256
5622d3bfc942e10e0fab649adb5bba8aba973bbd9a4121a1cc25f97322c251f7

SHA512
bf33c1c06d5f7de8bec2aca382d662d327b6be856b3ff40cfd994c3cfdb765fd83d73673330dfea878bdcd6adb1f073789edaa1efdf6d12beae70faada8231a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\5905
Filesize
16KB

MD5
b416a0ff7f05821d517f7c9bd5232430

SHA1
139c3f737a756b6de0c397f4cb2b4749576145c8

SHA256
3a3deff606f6da2d53c08da1036707a33e696647cce1615b08126992a600eb41

SHA512
1f86d2a4b062d765db7de51a92cda2991ef2f2f49cc4000c038ed257a936829bbefc19884365750a30e34c649b928ba25df5c93aa8b5de0170b583a21db98c48

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\8819
Filesize
15KB

MD5
7ee4fd64823538ab5c94d0ed7e13f6c1

SHA1
fcc8266c2b15d77495c2e8d3a75679d20818753e

SHA256
3c2b2e70fe98b383896d6700aeae0ff89b39d0337e4c39699be378efcb438eef

SHA512
16184ee5de9a41c366c17e907a4bee58638bad005f4fa1592ec55cbb20ed8685e8a01c83a8f480f6e00913301e37146ae07975f7f708e086b7136418386f425b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\9282
Filesize
16KB

MD5
e5054daaede4d6a6c381dad4f4dcc049

SHA1
0a79345710ab365827518e15d073c2b7a092690d

SHA256
8bd1041e653e6adedd578e3ec3420cd51bd18fb7df8ee097b57f16dad282a224

SHA512
44b16714050dea90cfc813709e0bbf6e6133b77a58dfdd555a4eaded33e1da280b7c47907b7a587c64ac7d74ffb53ba25711dcd119244bc0170fe545e8f0c54a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\doomed\9628
Filesize
9KB

MD5
f9008c24343ea621a744624c576960a4

SHA1
dffaa266e682b3f52540bf7a846955114c655371

SHA256
acd3037723e513d9a67b38ae5601151b9272e82436c8758e740cccf42dd9fd9d

SHA512
e2f15d5f75dedccfc97a6354d0694a5812f023ed0a62074045de3c9153c3acc609eaf2ed54b32c81a228910c9f8e34c56f796c970b082f3984c885b695a61080

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\0B863F0C5A7886F1C48D241E6BF79D840826A1CC
Filesize
978KB

MD5
f06d41af89e47c449a2dbf78de92eb03

SHA1
52f6b3adcf7851e7357e74b482e9dbf2ce0ce736

SHA256
5a6fdea453510652ed172b39401e65f1f40a46f1c279c458835094ad78013d1e

SHA512
260a7a1255b62bf1258b5c2fad8a60afe9fccbb43bd328ffb1008f1bd182d34769d3f0430cc491cded5b580fe8988e65be258f88bdd55bb7c6eddb0c52e54ecf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\0D181998445B740A7A506CC74F66FA20D3552A3C
Filesize
122KB

MD5
8a887f0cbbb4e9b62fba90ba888e9dd9

SHA1
3701d01596bb46c70ac2eac4e420636e88715232

SHA256
27432e039a594664d952febf29040fbf8261f8d26ab7e34be7eac41e4b7d53b8

SHA512
6f77f39960ec13407b782b849d3e40a4aed070f78527259e651cf8deaa2ee3ac897ff82f175232f94b449581d5b0bbbdcfbb4aa2825cb96339b9682f30798717

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0
Filesize
14KB

MD5
74b12d05dcd94cc184451e269c54ac57

SHA1
bf65390ccf55eb01b888c134c71db44b8e8ba8bb

SHA256
58531815b7584698140b3821946154f431a4c8094a41d1554457f660d7844f76

SHA512
9adc316d977e6284580bddf20cd1b55b38667ee5d66d1abe13a7a82ae61892d02fc361466a84c9e84b9ab51ac058b924548d399ba61c11950de517a01a1111a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\14A2B95DE503237CEB04836B73E867E882C121A0
Filesize
271KB

MD5
84945ddc70598c5de19d7102e4605887

SHA1
b633e9428df7d1835082f5e78973c256fa79c3e1

SHA256
27bc6524d5c4828cbf9d446e81cb3fe942a82e2fe14a97069168d27e6872b4e8

SHA512
6b1865fab9414bc16b51b8149f4bd7c786f5746b297544f75a9b89df25d0ce3b0a301169338704e5e6b28a60d830a5050ed6d89c164e942c0c5104ec507ba06d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\18EA8F79AFAE9773211C1F9C3F1E9406B6584571
Filesize
544KB

MD5
773009b5835c9109b152cefb687ee13c

SHA1
a96932365260864923bbca14466e80470dc79f19

SHA256
389483f3ab15e1289dd958eed68311e059739fcf985b16727702cf00032231b2

SHA512
6ae5fb793d3f9467356f4d2ac4d78b788cbecba633a3cd5e16aa2131e01e2f0e5bd979f710ee85b17415c65aa5efd5feb1d5476646d1b21482ed290e9a89f918

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\18F715ED05E385BA2A31CE0325DF694CB0E2033E
Filesize
55KB

MD5
e85cda29e09c8105859138d168508411

SHA1
5086cba6dcb675f2f9a1194d0ae7f1b0496fe711

SHA256
2eefadfeb1df7f13e684f44e5a84234573a4c062ef5cd86132727ea134b659db

SHA512
3187b4e72ad6816798c91cd7125510002422d0cf5c1770c60e0373ce831519f48c3a5bc5f9f34b12e35435bf03e44d05e1e1051be4c6475e01c34bb0a8f5cfd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\200CEACF0245BB1349D9CCD0D2602C2DAE534832
Filesize
238KB

MD5
94cbf08bd5514549cbd0e43a98034f89

SHA1
e9075a4839cc268641bd629c73ca0ef988854c8f

SHA256
01d7e77ea6ea375175ebab06c84b1b512e7cb0e8c795aefa8b2ac9c1af5bd0ea

SHA512
e5fdd78dcb202002431ec85ed366251111fbe5e41c44f9321445eb46b64051c5f3a6abb6dd6f12eb87f8e53a7b32ece2bd65fac0b1db4be585f933e5f9c5c67d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\201F497E270F5AD8200695DDBFEB5D732AB51237
Filesize
45KB

MD5
3b20edc6ab5a9803f9ad20f8d6ef70c3

SHA1
177ddf3f2350f427ac589c9e8f2ebef409b0ed1d

SHA256
a16e78bad4e62d3e69c66ec614402fd20b6605bb0f160afbd9a97d27962cc3f7

SHA512
fc2a18fba0010f1c7c8bd4aef033d58817715990d41f9d0dbdbad6ed6e255b5f51d77379e7cf8f2673d0024e6df3c55932f298fafabe25665b9bd8b742a301be

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\3E863BB755E8461897E9EDD1C58E40D46AE814EA
Filesize
22KB

MD5
a35d06ab437be19d62014f558a2fa16f

SHA1
91c5a017a1403be5e4c54689d5e1116ce1e4c1cd

SHA256
7cc4cc04c0c6e94d33caefec9e9e9faaaf3664de8ac33660613ab63a785de803

SHA512
a87bf3a31a9bcdf01709dac5360add857a17e7cfba79d88ff11f36e57cb600662bf4d80f4d921fe44752b6a020ec36afa5ea14a038042213ea48b424bd67738d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\3FB348331BD64D5B392EFF7AA5BF2AFEA94557D4
Filesize
228KB

MD5
c2a9e7718768f5ef7111b904ba157dce

SHA1
100f67ff6619f32545c167c95419da4a66d2ff2a

SHA256
3fb2e8b44f8e138fb563380c7014da105f7a219d6a9b81260903c590dfdf3e15

SHA512
903fa0838636495d862a392bc8cc305e3b964f12377c3f2c2496456709152a483f9add69c80d7eb43e0584c9ffe0cf976c7209ccf49c4a955a69262195bfde13

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\43D85496C662B7D14D6261ABEADD01EB2B883812
Filesize
68KB

MD5
4663eeb8d8085a312a5ea9256e403378

SHA1
dbfe9eb95241508e59e08b544ea8c2bd282cecd4

SHA256
d2c63bca865eb46c931d22f838ad8be7ff54a914b3671f3ee098704f802c0ba5

SHA512
0cf99a56687f19c89f1b1d382e7a31703c311d897cc321c528a65371967076dfbc937401f13ece0341c6ec469fea97f4bb8b4269e80f520a8e8bf8eefa625f96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\4446B164163B400F30403B5D8226A0918E48C2CF
Filesize
35KB

MD5
afa8237d1d1764ec259c2de4f618e99f

SHA1
55c2a0ad79a60d8db457e80759cc054644bde978

SHA256
8b5e20360d92e37dc30211ce3c5d68eee8db91db6d86d7f4f50334f9c461220a

SHA512
15e1ad5f2242f3968907bc1b671696b116a4be04ed44e2e1dbaf064c92c5ae1dc7fd2caeb23170b77511fe6620bfa9211ac59e580504fb2355dda558f82c6df2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\499BD3587A9135FD936FDE0EC6CB44FC6760E31F
Filesize
57KB

MD5
103606cc7c8cfb46c9e455266268ae83

SHA1
05115a6fee042f9cae0b652b8c98fb67f7617b36

SHA256
0aa1e0ce29da50e0748952bcdda26e3edf994e2af03f644e897111331538a3f4

SHA512
9997155c659ccb6499bae91d59ecdbac7b2e1d35c1e5798702455389b106ab59923c68f8587bd3aad8e54969cd29c36d335eeca790ccfd97578f5cc1b5310334

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\5038F595C6A9AEF9C97637860D05622D46324449
Filesize
9.4MB

MD5
e8e63729780b401e97547f4e3517fb5a

SHA1
50d4678f12a45694f7edcacb2e362bcfc48b1d5b

SHA256
1953e3a2f1c16640571c33ba10c2ce446674d605b576f1c27a23a6a3d43b9d84

SHA512
0ce871d747bac21a70976dc46a09a2db6043a4d2b9a702bfd186594e6fc78723ea85a8205d388278d3611cfb5d2beec62ccf3760449058885426521fe7aa5628

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\528E32265B55791214875E4B6546E112823548BF
Filesize
141KB

MD5
53bf0d8ebc1daefaee9d8c55bb9664c1

SHA1
807ad76132addf15754ab44582a1e3edbc9ecd14

SHA256
3a0ae790203aa0a8706b5c5099f1310cb7383627ca4d4be8f1c7c5f138d688f6

SHA512
8d96dbdde04281fc50f97277b935438638ef77bbdf71266569ef0d6e932d33e18b3f567aaf3b70d0131563104ca9f8081ce7a48ec7396173ffe539d0c95f5d6e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\57EA0F88EEBF05F0779B559D27D0EE473B11DD25
Filesize
875KB

MD5
60670766bd23e6d4d7fe2408e13ebd3a

SHA1
9ac144375a0d8d54bf9aa52f2c378de3a0dde231

SHA256
8b377897c46e9388587a9316fd42343c1ddfc7cc77b99e99165f649542dd41ff

SHA512
bac214be1a2020cb7b5529f64dba77d135aac9f4e9fa21e5eacf0d5415596a04da0451b79622db922ffe1b0e0753a692ccdfe9fd30475d320f9875beec756f6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\5E865ECD8A9C36DCC2CC8B343CE856505360F8A5
Filesize
151KB

MD5
fe6de745822b5aac75df533f6dd0c94b

SHA1
331a6d6b2bdca0bb96f5c086fc07616c57abe8b2

SHA256
132c5e926e2b0b6ffedc5ba6498c7b16fbb60f7f9e116a390882b1cdf5f0913b

SHA512
be365725eb424370c3c7f43e9876161c4a2c2b182b2351eaf819935d6ecc91842614adb23e34eb3ad511c0457edf33a3f5e46a789c6959ce57c8206c7a7aa9dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\63E1455DE10177AD2D33527BF9A685DADB0038AA
Filesize
20KB

MD5
dc95fde44388fe82ca64697289fd1acd

SHA1
d2f03ed46bd5ea870e1bfd901db42b4f96d68e13

SHA256
02a868ad8dfd428ba69e8ac055e1a6e6a26a7f6cee2a084554a8f9e1d8de29b3

SHA512
fc6be3fe698fadbf68cd899068cc96e4105fb524a5f7755f3014e7581a877a329c169031f1ba589cd076f5cb2edadee3f2e6f80cd5d8b18b561a879ea98e16c4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\66E3150418D5F0529F8213B36327A9CC9F9AA99E
Filesize
101KB

MD5
f0bbce7cbdd730925279c51e1126639b

SHA1
b2c88b8d7c884b13f051a13d0ca8d73186aa4522

SHA256
3a49c5eeafcdcd467d4c8d57df0f9fa374437eeb42d28fff2deab081e2bfa326

SHA512
633b1fd7c446b7b1b36665ff3c1faeb141395bab8a47893ac5c800da9b6b87e9a93bca43c060d0f23e2ae330d05c4f4aa3e566cd297f88f0cdd81f645f232d34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\6D97DDD75986953445C6295E2177E10A9987AB7A
Filesize
57KB

MD5
db3604d7db48e4045ca580e201bf279d

SHA1
f4eda611826e84dcb8b5b2c8c88e98bb564426ea

SHA256
ada4a8092e39082b2244a18f3623a091c6b43d037e46f0d5a96090fed3b94dd4

SHA512
3f9e27237e8ce7888479e2350803a40dbab1bd461a712ca34b87cf09c394e93c4231ca2473a39ba4c6362cb5b3d4943a2581fc0df6e5e51f96db5bc995bb43f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\6F43C047A46DEA3EB4DF2475CC13D399DFF4D2F5
Filesize
61KB

MD5
951410282a7efb987116dbb6eaa99bd2

SHA1
54fe1e680aef55223651ddbf539ebf4a8356e772

SHA256
85b809d9b79fdc921131abd682a09de6b347c7acbd21a6b92bf8465a4c2fe04d

SHA512
66412c41fd037a644151e4b6e2a43a297dabe919e62e3bc5bd84423eb3ada5cb54ba902a9d06fc3289cf202fda68c8fd3feb588962371c7865e7b715e1508eef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\712C2371AE7349DAAFBF9FA1E8C901D6A277630E
Filesize
4.9MB

MD5
c36cad78f50b5a2dc7468fe3f10b2cc4

SHA1
27ac51c92e225c6e373b96a699112d3822ecf715

SHA256
478c20208611172bdfdd97aca225a44c3ed667d2a3274536b0e13d4d33829b8c

SHA512
4f594f6ba68751fbe1da8dd6ced6e21a81b386ea3498e688b8d12f016a2aa5a5c98608b17bde2c5f6a90a6c53167bac3b71b1d6d741f21d13b372464aa38ad76

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\8180347B3F5BBB6282221DAF9397704E0E1F91AC
Filesize
210KB

MD5
de28e42aa461c1b5482cb505fa2071e7

SHA1
96510728c3b0412ecdad086e1b7effa6663dc45e

SHA256
8510bc8fe15710cd051b15ad5a15cfd9ba19b683363fad08dc92ef405b89c865

SHA512
e59e524dc58b10001dc2d7ba1bad5d0ea3760b723a51530eb3d0bd7337ac31f28cd4fc1e163b054ca089d347da846a775843f5fee8471c3bd2bdb009bc2d3bda

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\84EF99A0C0865DC677E068F5547D92E943EA0712
Filesize
56KB

MD5
0e5caf908a4cd65a096b68a7b7db41c5

SHA1
0beac79e5dc30f20998a24f887afef6ceea6d5b2

SHA256
374153fa2a79d83300cbf847a225d9601e1f8d9360bc98275b2ad21d3efea711

SHA512
db68403c4af567197dd249a89d13a2fa5ba4442de00722d113bc61036d86a2aeb7a013856dcb88fd4c229eb990c207b75ca80a7ae65605db77d860d1365f333b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\85ADA7BC73D8F2AD193028F1AAE78F38D374FD22
Filesize
102KB

MD5
9240eca79152faa9fda3cd9e17b2a42c

SHA1
4beb1752d45b657df9e0895229f56c0c05f87b66

SHA256
14f2008fa556e203f186a7d33455f3f000e1f853faa22bb52396c8d5d9f9e0a2

SHA512
a4c0c70698d9efee55d55f2355ce956c5a6f976534ca6938868145854da0f6439d019ca30779c40eefd258258cbd5b9a8d587223555a45c35e319e3fcf845c2e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\87C0A386A008550BE1CF57688753F1674992A5BB
Filesize
96KB

MD5
7cd4eb56f272c4b533ceac5ff552db34

SHA1
b8be725fddef24a41763876831b6965cc2a2ad2b

SHA256
c623284927515a47f687417700f195cc86cf6b7041750efff32ca913569a685a

SHA512
970f08da896677b886282ea381dcdcf2cd021b2815a3f9ec8392ba16eb82b8b23bfefec46444e2a48577b104f3470d84297f5e11af3c173883d145adeb6343e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\8FD8B745F24064D987D1D2470BEA14F798E67BD8
Filesize
3.7MB

MD5
125f864d612ed66802aae14488f5a1eb

SHA1
57dccf282e4d176e5b682e6b161826f7b07d2cd9

SHA256
81dd0c1dae2b73f5620ab8c469544ba63e126b645d9c64c4c656708b57646100

SHA512
d341a357ef969635833e1c683e74fa85a93c32b72c79f47cac7bb1cfab7af388e3b0306efba9ff8b0ace3f0dd4af7469e37a7ca2547d313f60ea32fd56872452

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\94E0A6237583362BEEDE8DFCB03A76C48701F762
Filesize
564KB

MD5
b7a60955e5b073a677a6ca45e0135a2a

SHA1
a3c9833a3dd997a53b6d9c60863c16c2d616eefd

SHA256
4734bfbd223c3322dc949770e9e8e27facac0786e7f44ab5bc312410fd196d56

SHA512
48991213fde8ad1a8f521146f6a77daf17f3362fd2b8bd092ce69fb117d35bdfb7798babae264657be6b135e42e8200670f769bd2a3a4528e4109fce475624a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\9FC8C85689D31525EACE26158B83B464F43A027B
Filesize
24KB

MD5
db7868f5cd7fd04422f1ff5cdcc08be5

SHA1
e4fee4df84033df30c36ca6c636a3740dfa4d967

SHA256
3dc3f692d72d3dd2f2abc9def1041afbb6c42cdbc75151bb1cb43e1a03d35b07

SHA512
c0f20720f79e47be9caf8e172778caf5856fc17f28480c80c0030b2924750e2140b854ac468ab0ed006f2b417b15ce2a524e2210689343f316e980abb5681427

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\A11AF755FDC753FAA9657495A30F3329759C4E7E
Filesize
7.7MB

MD5
24ad6471cca13c40e405ab320e4d8c23

SHA1
098c19b1fb985330d29ec4ab9eb4f79f618e7f74

SHA256
78a7031c00b22ce409d5a2e3995d5f93e1d201279d3fa5f8f5b0af12f743e98f

SHA512
7af55cea2ccfb1d392781bb0545beb5b89fc0e91695f1c6d9fde9ed81b8e92306c0766c2d94c16d5a4b502e38762b16ab028594302386a6166e4f33a5e65ffec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55
Filesize
40KB

MD5
e068e6cf90ec8300aa88d4ccb4d36e12

SHA1
66ff459212ecebe4cdb213b5a86a335fb399b9fb

SHA256
3e846733b4fb9a49cf7c7a6f6bbe37b1bc6a2269f4dff3dcf17a7d28e07d381a

SHA512
a754db0eb148307e1770bfa291f1f13445dbb434e17c7ac39f258ca71102233915484da44b1d2e4be4c68df1907113981a58925ff96f296883f19fdb2c96fc9a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\A752BE816C32A166B4212612D41570FEFDA0B4E8
Filesize
24KB

MD5
88052219c5caa53fca425c3d225a13f6

SHA1
16218a3555fb9025aace09f147909e70411fa5f5

SHA256
744192f731b29c83ed9768b31bbeeda6eed085080b123601848bc96812bb900e

SHA512
f53fb14a2e75dc385339f571b7375b56493592315f251b5f32122aabbd9b625f822b5da404a29354e4a082d87565eedd497ba78c110ca226874e9f40096f437d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\AB557D674A55986719C0818DB458D9306961EE49
Filesize
52KB

MD5
96b7ea1d988b917bc4d68dc3d07f988d

SHA1
bc582190f7146c10b3a9b12b775a66880e5726e2

SHA256
294fb72bb357da1972a931aa88b2a907120f47ce93ae6eb5f473d54a17030d4c

SHA512
5c0792dada0a322b5c7bf64543fbf83a5ffa8f79780509cec8c58cd43e144d2b192d7574d88d80af4c63c1aa2ff4dfda033175643961a44501901dd796721d04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\AEBBC120AE5E76861DFFADF5B322127D4D7933B7
Filesize
40KB

MD5
e337db26230de00194658c71848f679f

SHA1
3e63b0f4f06a94213b8f642322749ca4b80793d0

SHA256
4ea64e4950720bbb6fdd3c1a1f73c2f768dcec193dd3f2e0c082c9b37b541641

SHA512
a621b32f33db8584dd90f523a59d9cd0046ff9722c9956afcbb7c994880226a5b4d4fac54d8e253ade4978023bf1446face78cd9446feb53c89b7cc602a1ab74

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\C8299FA0DF6878F3A62002F8F925F4820F4B72C6
Filesize
1008KB

MD5
02a8607157f5150c6affa0913a05784c

SHA1
b05d5e9044237c443272bd72aefd5e8c602d183c

SHA256
2241c7a02fd93b917e1ee7c07b5624734f432c11b36f5fe85a0783d50ff7314c

SHA512
5490b2f2bd1ae52ab53b894292b6ee62d1ca347a22b9ab39c1c31740dc34ec2c6ee95b6486fe04b8d9c5dfd8300b7a20d9059e60bd62ad9e9e7eeebcbb0cb022

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\CC263E571AF66AF85418CB3E670545836A0AC056
Filesize
102KB

MD5
a6aded4dccc59c88f2cf45923af97444

SHA1
f6ea8aa8a3896eae8b2712ed7c36c684752f5617

SHA256
631a2b7e8ee5f9928697aaebbc6d1273cb1e7579cf958ed4c55dab388d6dd70a

SHA512
4039c9abd559f084d2db94432e5c0027e067ce12f5f1bfcb68cfeb466edccbc9a8060b824718ed44dbd2341573ae54108bff58cc5e12af0c2214b7660d0b4dd2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\CC69867337A4F6C01F6911C08F43F60CCDBE79EC
Filesize
29KB

MD5
16135bd3b6d8b528ff68f10a7f33aad4

SHA1
af8e8069d5385e83f74a480b1f2f661e519a4ff6

SHA256
f4d5d01a7c431ce81da4eb8aa3029ff8758d635779c20f7c22b53df4bcb53851

SHA512
7f6a963f5def268c23d6acf50625efdce8bedb65309cb786e590f299f45fb47eb074f523a1c2dd12a63305bd87ee9ac226604453cf5c0225b3e0451ebd02812c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\D444043023B6F391E514B1044C5A1D05B9532EFA
Filesize
27KB

MD5
89dbfda8023cf0dd08bad2c076913a2a

SHA1
ff55495b3b3a6a94c41007ecaf4c94f95f87511b

SHA256
c7e0c8463037f0bae7a082507964d70a0884972d1a722bba2be6132a53e0f8da

SHA512
8dd66b73c05ab0d5bae97fcb3f5268ddd7509cd03e610fe21d560af8010ac7090dc0d1b676c24146cbc757550bf6b684af88629932ca312af9d7ad1b707e997a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\DAA5E3920AEAC4CD08259711BDDBD8C97B43F68E
Filesize
231KB

MD5
a2f70f4e4df94d2e272e64eb5b3e297f

SHA1
4f90d9affc02be703f8fb581c6d350df1959b30a

SHA256
9b8d6faff83732bd2e8b3dac2491eadd07d26679ced8bb23a1293fabf83ffafb

SHA512
5cc288b7ba1097c50ac15d8cf1379d92ac2e90247373fffbfe21d2ab741daa61706dbf0760aacaeee296db767b7998be515426565af2d788f9ae0cc6bc8ea7cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\E613A3804C84D03E50293FE057CC8C5D0ABE027C
Filesize
1.3MB

MD5
a15f4cc1186c06120335381581026f68

SHA1
b3a20375bb5576a6ff7015080da9e92298d47968

SHA256
76d1022e2cb77d312b560b4a961b0ac5b066d86772fd84358f6123f4caf004e3

SHA512
081a15bc8af0967ec1068041f31029cf070a87978778e621a045fc8dae8993e4dadd4afc6f64f62f713d53aeb0f58c6bccfaeaafb14c7e89f98d2a3d1c3ff38a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\E68A31797159DF6E6C16763AB71A0278E13D2AF2
Filesize
127KB

MD5
c8f5c5f935b419eca3f3b495b5bfad3d

SHA1
8a7a284e4037e137c6c5e2b7303d15c082cd1382

SHA256
baffa46e1a12b6c790d20d77a64fa874ffc742bc666c3890468a96e1d9f23d60

SHA512
787297ff990fe77ac84d5c366751574ed70cb24cfc246c0ef3d0aacce630ce6b8165bf827b6c931712699722c0815e8b7ff26dd19c1c4f249f12f60943f60398

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\cache2\entries\F96A1A8368D3C3DD1FA81D170326E6C1C65D342F
Filesize
30KB

MD5
d0e28a37bb84457f12c14f202688722c

SHA1
dda67afa0ced2603e1d579012f8d017b4313a843

SHA256
b4e5c12b2da67fd8254c482426ea2eb1a154809d923499a0d59a325491710476

SHA512
25ada2e1004fd6c9903cf8ba074349e35b3da65bc3d82a45fff6f350bd2e987578e00316848f6e38466cd83abd47bec8d5304a87db9a5bdb48dd13f05a05a06c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\jumpListCache\5fOT2ZZcWKqSFvKh9EHX7A==.ico
Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json
Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json
Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json
Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json
Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json
Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json
Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json
Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_finance.json
Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json
Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_games.json
Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_health.json
Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json
Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json
Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json
Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json
Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_law_and_government.json
Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_online_communities.json
Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_people_and_society.json
Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json
Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_real_estate.json
Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_reference.json
Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_science.json
Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_shopping.json
Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_sports.json
Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\nb_model_build_attachment_travel.json
Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzal0frr.default-release\personality-provider\recipe_attachment.json
Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL
Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL
Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL
Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL
Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP
Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF
Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB
Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXT
Filesize
13KB

MD5
7070b77ed401307d2e9a0f8eaaaa543b

SHA1
975d161ded55a339f6d0156647806d817069124d

SHA256
225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712

SHA512
1c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF
Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll
Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll
Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL
Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL
Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf
Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll
Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp
Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf
Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll
Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
Filesize
161B

MD5
ea7df060b402326b4305241f21f39736

SHA1
7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2

SHA256
e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793

SHA512
3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
Filesize
161B

MD5
ea7df060b402326b4305241f21f39736

SHA1
7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2

SHA256
e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793

SHA512
3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat
Filesize
46B

MD5
f80e36cd406022944558d8a099db0fa7

SHA1
fd7e93ca529ed760ff86278fbfa5ba0496e581ce

SHA256
7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7

SHA512
436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat
Filesize
46B

MD5
f80e36cd406022944558d8a099db0fa7

SHA1
fd7e93ca529ed760ff86278fbfa5ba0496e581ce

SHA256
7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7

SHA512
436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
0c12d2fb857699d683801b732fa4329e

SHA1
2e7b41547766bbc138dc3e267103b46e93903582

SHA256
0529af17a62cbfc90596bcbae6f4c34921f1f8a8fe66eb724bf11795d77f2998

SHA512
ba430f6b8e5dbd2f2b5f6720d5b3cf93c2375984af967b35e24c07995e1369018913f8cb646197ac726cfe2fe0eb8a67d3ff00d63cc6a8337b7c93c08d80d9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
2KB

MD5
1bf08e6d3c37df5999a1063d0449b0c3

SHA1
9f814d01d2f634542fe272c2521fd9b41f10bf7d

SHA256
dedd8138ee6c661be3c8ad5f91ac6098522ab8e01c7fa17f29b21835f1d58504

SHA512
1b96e6283e32a8f99df3aed1d31633c9cc057ca0d82c91a43ca745cc3267d3e930ae53bd0a45dd3b94917101955f766a36feb5e89fd650bc84dfe8d37cb96127

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE3AC0D5450E8C830.TMP
Filesize
16KB

MD5
f8ef6cb75da92853fa8c3118e720add7

SHA1
e02b210bebf9e436907f0c9a0b7979bff99a0978

SHA256
760aea44e6a4e411d1fb8d3d131d7fee9838659de67469f8df403fc818d772a0

SHA512
863a27771d492cbcdb09ad2de7048822e1ec5ee2073c2588ef36f79c176282cb6a0c0bce097073c59ebbf368c986dc104bf8a52642635f927e77de5dcb090237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
13KB

MD5
e8e381b6e5f893bbb5bed7eb3f99ae8a

SHA1
8f6bdaaa355ace66e1677512cd9869b107e2363f

SHA256
700b00732814eea5a3cd39bef6d15f868fd337e62506d6d4fff551715d2daf3d

SHA512
319305449b2b5b5cfb7a2266d6b2fda99836a3e3000e07cea9e89aaab8585a4697075688f81e900be7f9729df50a61f5ec604b10f32e91aff0f65d5f22247e97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
20KB

MD5
8d7175fc48419ebf2b10c2063beec9f8

SHA1
7bf666b7dff47593fb652f45f8443ad8be04148c

SHA256
a0d7c82668de5b4e728fbd8f86faafa0c2777bc44f2149a521bf57a85d6bdbfb

SHA512
bba74c24c54fb1ab543bdd09c36728c4b3a108f1f4d59229cd853649597ad86557225b44e1db4ada154cf08db33a0ca9eca9a0e405654aeab6709a06a0674bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\SiteSecurityServiceState.txt
Filesize
1KB

MD5
4791b9c3cf50db8de77a3f51b44e69d3

SHA1
03aed1055e1db53002119e797898e9cf7affc77d

SHA256
cbc27abf9b3c84dc57ab2c6de125635d40263a78c956d8761b58d2050718c236

SHA512
f6736ef79cd39e653efd96afd416c6e798a65c639928127f82d90e420cf517b805ecdf75d0f4825dd67e3e611a12b503e81e036a0aa4f35d36611c67f4b6850e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\addonStartup.json.lz4
Filesize
5KB

MD5
f250c684a241935c2794c30ae164ae52

SHA1
ea384bb1ba6744718b3bb8180800365d19887692

SHA256
ff08fca842608945bab874f225d809065a58d1eda82f37f80f727bff95bc00a7

SHA512
e16698db5705fb140ab0579c4ecbe51ba7fd2d494bf987c23bc5c46294e84749a3f1b43d0ef43fa75e7ce0d1b67ac3c22421717506be6fedb4dac49e2e7870ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\bookmarkbackups\bookmarks-2023-06-29_11_YOIQWWZvOjrHcJKvPcQQng==.jsonlz4
Filesize
945B

MD5
29b621b82f5f5507c84fbd61a772113f

SHA1
b171e6f162f6d60cf4e40ee185eea942a125f103

SHA256
9854b2fcb697561e04b6855d78c7b851e4598072f660c1130591eed831b22492

SHA512
41021b540f151685193e6b9be18118a9e5e79243b9e8aa98cba697585e979e3d5a5a9933a76707cb220d7dbcab43fee540fc422999c812855c751e7d47f0d3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\broadcast-listeners.json
Filesize
216B

MD5
33364bb4cf05f7240753131c4b1cfef0

SHA1
e7b57c227a6ef9c3f812edfcd1acc33d87b192c8

SHA256
fd986ef0506cb7630c69932e3efecc72fe64b00fea172c43200a16ee33d0650f

SHA512
9ed7e27bc2680168e82b4b8eb57f571b6a07bb22eede1de5db3c62e6277672ebbb4debe32256e5390f82dd524fb596a9ad275680c3a562ae2147be380c29e225

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\prefs-1.js
Filesize
9KB

MD5
7df81d8cc68f1126dec62e7407b408b7

SHA1
8d54695f79c239dea79ab27b735fb4e5dcba77cb

SHA256
b6b96c465485f1bdfcc251cf60cf713d3ffdc93ba0f4aab8f9bc7bb10992f7de

SHA512
a0c0ebd5f3b3526c7b8fcacafac0eb554e55482c3df10dad590a7366416f8a58d4fb62bf679fea1dd561e9971762efe0d751388eedf9e1127d06c007d9fa2915

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\prefs-1.js
Filesize
11KB

MD5
6078975af22001dc1ccb60291e5d1c53

SHA1
76036ce60a296c0dc56a8539b2456a587fc5b5d5

SHA256
582689cb90ac43e1f44f419947b8d9a5830ffccedf490abfad862e02eb125cb4

SHA512
36634b80791b701a0793470867a78be6cc7bec3d6b4d9f870ba511c7aaaedc75846da4b31e88a2d530c8a90cb2e2493aaf16e84bece8926c71bfac46e25c01ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\prefs-1.js
Filesize
6KB

MD5
2f4bf9760b23f4c200b38496cb13ba07

SHA1
8058bf3decef48d5b4fe524c5faf18f8c7e1575f

SHA256
e563bf3a35087451def2872174d615632f23486cbe1abcf73d1186334076193c

SHA512
86e92a8168fc347b6d13b924a9c1ab4b29a0a05090ca5bf2e202567d51a396f461f843d6600169041de1e033aa59450875af7a9554cc69f962350574e3795fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\prefs-1.js
Filesize
7KB

MD5
7ac8b6fd98156bc256330dc236b3ed42

SHA1
be1c1e4194b4b071f451c9db63b331a278b5ddfb

SHA256
3aa82904fdadc0e785d5e081f1bb29b651c6974f821153e344c3c03f667bd098

SHA512
3fb0fc1693a36bfdf8c8d8d934a987614914c6a39e6fec353d8012ac7863b469efb7229ef72af228d4b26563f187f3f8de5e2497fcc419b575fe1ac739150e93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\prefs.js
Filesize
6KB

MD5
fc3b2ce43cfcdab8e88bd7bf0f2dc9b3

SHA1
5f3a2689d186b75039e63d9ab9a71b30a32689c4

SHA256
c08aca528e549b57b0bda42f7b58efe5efcd45db8b84f3d7f28a2ba053d57c9b

SHA512
b8fd624f9cec19ee93212faf187a94e635f2531e3aee63a8e8d48cad7358e030d74dd0d28e0ea0efa7d3dba47c448d8fac9fed11baf140a9eb020099d3c8e824

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\prefs.js
Filesize
10KB

MD5
2fbc32e5eddf2aaaa7949a40480a3ae5

SHA1
1190487a765cf6027ccf5dad60c7db5cb64b32c2

SHA256
3021cff691952afc63d4267381f3e0e530d7918715530de27c248df5d84e4c71

SHA512
c634ab591e7159c980b4f8868e13748980bb3595b2347e6cc3c1b3063fbea17b7a36406620bebce3527e4ed8ee07dee1672cedbd61dbfe30b9eeaaffd5f139fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\prefs.js
Filesize
6KB

MD5
5d7db9084a3bf285026b0a0db35ce277

SHA1
2679f484da42942906e168bf3df55a2abb1e1501

SHA256
d1af83a91440a618a5ee4b450fa749e7686dc19abb4c4f78b4cb47129bb446f4

SHA512
37375743bb52d8bbb50251cd00cb2e546e96313993c345427e9710e6cad79435907323c58010403cb9b16da21b48dcea49eeecf69febf7132190229529e2b206

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\search.json.mozlz4
Filesize
296B

MD5
033eb0645837c8b618a593f7b9a72642

SHA1
cf4c2e7ccaa275ee47cdd945a7bd1f8b57c61172

SHA256
3409fd08295094b37673d748a0374cf0afaecf1671188b2ed012626cad67a582

SHA512
27dd0743306b0845c06b3be3e3ae2f515777dced4bbf91a4864bb95c5873e2d6351d99be36d4762a2ba8262130c6d139db3f4f5272afb8717e02b09c1e39c2b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
f19c2d27f231ba93bf1e281848aac2bf

SHA1
8ef82859d680d17e401e0e5bc714fc5bc412478c

SHA256
a7749d6e04e4934ef4396ed8f13545c8a5a4aebd7e02f230f94c44b76cb2b0e6

SHA512
47fea985b7f31d1cb8b34b71f2fd345764ac6cad2471aff6380bea374e70ff0f41d11781d5d4301410a8ea9445a44091237ef1c68a8697d0e909845b2a8c238e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
ce3260c6eaa7c954ec3e034e80500cf6

SHA1
eeb80537661cc0a303b1f04dd600637336b5d6f4

SHA256
dce73cffe59081bf3494359a0c81816b7aeba504a8ac5f80edd435e624d8105c

SHA512
7a085b34be744a9d0c7951eb4ff8aefc812f928f0b1cb9fc8fbcea20ada0980493af13321034dd992c75f8f49d6bae607654c18ea35be1634763a53f4bceafbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
e69428b6a62dd4b599671f81659155c1

SHA1
6fe989dd7a3f8ab8a2856daff3e4f8df567aa7ea

SHA256
a653f20ab73b969dc1c9404b3855df740a127f06d05322fa546de15773b9fca8

SHA512
ef7e25024efc30f5713b9782372b9357097dae8fb96393e3b20442b195ca197718e8fe025d77bddaaade3f800e6425003812978119c551c89c0edfd8e19352f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
dc9af9b1e4724b6898bd9e2ad95f90a3

SHA1
56f3fadd9f8ebe7f2401ec03d21a01ea0bab6cee

SHA256
080d8bd7e43b6ecf5e72f237e66a8431e5bf7321f20bfddb5c220539803cbacd

SHA512
a067bcf2a9cc5ab6712b099a7448ffe777a2afefc7777c4438d66fce8d827f06ac19272be832defb007de5ce3a40c6f5d51a77cae4f9bf08712cee52d2534f15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
a31cc34ee7bc5ed897481afeaa518b95

SHA1
6375f6005a73abf1b8ba0ab8f2c9cbb44ffdd52a

SHA256
7baa8116b78c8bcd701bcaeb84cff8e4d9e1fec51fd90db908a771675299690b

SHA512
c815d45dae8e3e384d6bb7764892fe603366aa85f4aa39eb41f604ca416ec882ee8b3ff6a3b7074d0062378c7d2b94cef8b9db752ba4e499e07af7dd589c7e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
4df0ca22d38ee679e3d6cb989bd5fd02

SHA1
2b4c016a9d2c52ed853002d0df7bb4f424d62f8e

SHA256
c4da806d1ee191be8b3e106d261de27c472fa7bfd445c77b972f0038f820ec5e

SHA512
c3455150a70df038ab54adfc9a02233ba2e1ff9f08e459cb2dde81b6b057521dfb14975df049c64a09a56c43c48a241a4770c515950292d2102915bc1e2294df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
48ade271b0f7508bf64d68d02d434e47

SHA1
7cdf34caf2494295b5b7dc80f727185e57cb20e7

SHA256
bf2ef19f2e271058c0692c730e11dbce375a74e096346fe2d5fc476badce44fc

SHA512
8f9e70ccdaabde8f6cf5ccaa633bb8d7bdebb87ffd25cd64103e465dabe34c93b4202c90d806be1ab54a28d33084b128ef4adc1a5bec9c4baad38c065941b468

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
c7073d2fcc8ea287cbecb2cf69b27a9d

SHA1
a028b23f12bf6fd87418510484c639366c9e1713

SHA256
bc76e146d62ee1b09d76e3fe9dc5418f44f72f6bf23c1330c484117a2292460c

SHA512
b049a702e335879954e710e492f0d0fdaf9d84725cf3438b18e293fbf9caf3bb10bfaab929614423ca3949631261bba411cd960414c07be00f1d14cb75be003b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
0a05ff0f1ecdcbb68e4f245e62333843

SHA1
9332a92f4c6c576380ca7deb7382f9f9bcbd45af

SHA256
b41c6e0d85d9e90453d81989d37c6fa0bbf3ca52bac0537d68f849968e2e64be

SHA512
d7f4b88bf84217a2d8fe04fb0849efc8611669016f4cb4434d51c3a99d623738aeab4180eb5bace8122c3b2a94868c89b7f90a19342463c9d62ff7eaa0f8e47d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
45669635bb7de57658031512dd1210a9

SHA1
efb65727c22368a44e2c715c7b0a7c0fb0eaf10b

SHA256
57c5c3270e1928e4d3529320baa72fd5720ee3776699def8e631de29b3e35ded

SHA512
531c77de969a4f19910a7a16520d5d12fca1e8e15c492e629b11ad7886c9a151de2fd23307af593d49850f2062ffc6b6e09f1ee7f44ec3745cea20ac688e06df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
13KB

MD5
e60a56464925e84b7945262821b26330

SHA1
bc18cca0b9a24cb999d58a5c4663ecfd5583b8ea

SHA256
7e22592fc66e8f61d1ec9ecc4a363d32fab6c682a31bd4471b0b9e5819168fe1

SHA512
84181f636ef04fd0feb98241bc3277e4e9ed47e774327f8954994e3183d30b1f75b3190290fb10b697fffd2dd3db0dd2f57a3a80b7287445b1f82b52b45814ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
13KB

MD5
efa8d6cac47a00d1ccac7e9b37629a81

SHA1
0d3d88c26d5a50dac7c3c1d43a487e016c68f2fb

SHA256
90d8b0c7628db01ce898179e788256886e6e7ca08f2a2f930510c61820d8c055

SHA512
8f645cf6bbfe093fa41827c78b0aad54252434e79439cb611caf3ba31adf2199d52899b4bdb6e769c2c253818f3ae1dd518885dbf1811fda2b430de0742ba45e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite
Filesize
48KB

MD5
cad32fbc86ce6784d313213fa4543061

SHA1
530588ffe027138192d330bf59f32d3a0147392f

SHA256
9d25676164616880be48213afd9c31f8ba8e5691bc7a387d6be20e52a04c1012

SHA512
a22adcc0fa3088383bfa14027e7204ae31aee22768056ef94eb0c3bb56fd51bd9c455f832b950e78475eac7f11fe38ab57479973aab0e1b3912d01038450f88a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\usage
Filesize
12B

MD5
a4b57866747aa8bc0828ccb259689903

SHA1
b77c045f5580c81a6cd07a5e5d2271064aa52233

SHA256
395c2160a5f25f4ebff4939482f032465544c7d1105b8f93b529552a1f8f7b88

SHA512
f5e9b04e525e1bb7a913c3e02504f98b1f860cbc487029075c668cfb560bcf85855d7e48ad19586368becbb6157872b70a083a40081c2c109314ccbe9e5825b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
552KB

MD5
8fae55ff2d41dad92b00711b34fe1f3f

SHA1
7c1d80ac89410824dc6dd0431b1dbedb373961d1

SHA256
0e923fa4e3758a7f79b5b24c26006586aa4c98d54541b2d8856c94f6663ce5d1

SHA512
fd0930e69461f6c3d55e62c5c1f124ad2fdc2955a636f794fe6f0b23d19f80adaaf1d501b7ca5cb01b5ae25e2a6d375d86e20daefbe3467fbc1cbba076adec55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\targeting.snapshot.json
Filesize
4KB

MD5
39210eaf000362bea8a4fa0ea78e106a

SHA1
aff4e77364913b34d2e6db34751c43e6e0902633

SHA256
2149eb333127875af21a2b71cc3d05390f1283813217f2f4a0493cd30c88910d

SHA512
b2c16438183cafa848665976f5209f10385b6819883bcc109bc01f22c64275c935ad740ae758a7c78e1796cac3b0876c25d81e76753606ded35fcd5bc79372a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzal0frr.default-release\xulstore.json
Filesize
217B

MD5
6d87256a2b21b9603b7d731eb033b9e0

SHA1
8e2603f254af21d5dcf310fdb5a688e9097aefd9

SHA256
5b3e57bf27b98cae50a753101df9a00a1f6d96886c1a92c4106a6f7eaf6d09a2

SHA512
67bfabf0b5d3fc75b5223a5da836e6909b2af8d98172120fc5efc0b0f6ece72b6cafbdd97ac170bc5357d85a39b15fda7e2df861981d193f84cfca82f360e156

Download Submit
C:\Users\Admin\Downloads\Bonzify.exe
Filesize
6.4MB

MD5
fba93d8d029e85e0cde3759b7903cee2

SHA1
525b1aa549188f4565c75ab69e51f927204ca384

SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

Download Submit
C:\Users\Admin\Downloads\Bonzify.exe
Filesize
6.4MB

MD5
fba93d8d029e85e0cde3759b7903cee2

SHA1
525b1aa549188f4565c75ab69e51f927204ca384

SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

Download Submit
C:\Users\Admin\Downloads\Bonzify.exe
Filesize
6.4MB

MD5
fba93d8d029e85e0cde3759b7903cee2

SHA1
525b1aa549188f4565c75ab69e51f927204ca384

SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

Download Submit
C:\Users\Admin\Downloads\Bonzify.mQy-kfYD.exe.part
Filesize
6.4MB

MD5
fba93d8d029e85e0cde3759b7903cee2

SHA1
525b1aa549188f4565c75ab69e51f927204ca384

SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

Download Submit
C:\Users\Admin\Downloads\KYQICrLz.zip.part
Filesize
3KB

MD5
512066537f528631b41638ed25891d6b

SHA1
c640b7acd1ade524d4351052eb400881f2f8dff6

SHA256
bbcce67b9de792a506cf0228321d4a4e02d0cee128d3085dd7f7e7f989c45850

SHA512
d02ef9cf4b92cff6cb758d77179e6d2d1bdb5901fecbad7110e2394219d63cecdf2aee51d39b684fbe37fbf52048bbf35ef8a04cad6a9ac4ec01092eab9ef8ba

Download Submit
C:\Users\Admin\Downloads\WinXP.510GEAtC.Horror.Destructive (Created By WobbyChip).exe.part
Filesize
24.6MB

MD5
d7bb04d5d816e2145d7d2bb625aa8d82

SHA1
4d3b40e4524429e0c10b81fbb60c8be8ca0f9929

SHA256
9aa589d7afee5e07a858293526c65624805e09ef7f65f1d1611ee4dbc1b80e1f

SHA512
e0631ceb364f7aa350979ebb54a9dbf9d815daf7a96fc6febf7e6f86b32c0093df7353f3ebbc338fa81961bd1b917ca478142751630ef9bae689b005704b38c3

Download Submit
C:\Windows\INF\agtinst.inf
Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Windows\MsAgent\AgentAnm.dll
Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Windows\MsAgent\AgtCtl15.tlb
Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Windows\SysWOW64\MSVCP50.dll
Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Windows\SysWOW64\msvcp50.dll
Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Windows\help\Agt0409.hlp
Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Windows\lhsp\tv\tv_enua.dll
Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Windows\lhsp\tv\tv_enua.dll
Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Windows\lhsp\tv\tvenuax.dll
Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Windows\lhsp\tv\tvenuax.dll
Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Windows\msagent\AgentDP2.dll
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Windows\msagent\AgentDP2.dll
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Windows\msagent\AgentDPv.dll
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Windows\msagent\AgentDPv.dll
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Windows\msagent\AgentDPv.dll
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Windows\msagent\AgentDPv.dll
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Windows\msagent\AgentDp2.dll
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Windows\msagent\AgentDp2.dll
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Windows\msagent\AgentDp2.dll
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Windows\msagent\AgentMPx.dll
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Windows\msagent\AgentMPx.dll
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Windows\msagent\AgentMPx.dll
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Windows\msagent\AgentMPx.dll
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Windows\msagent\AgentPsh.dll
Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Windows\msagent\AgentPsh.dll
Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Windows\msagent\AgentSR.dll
Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Windows\msagent\AgentSR.dll
Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Windows\msagent\AgentSR.dll
Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Windows\msagent\chars\Bonzi.acs
Filesize
5.0MB

MD5
1fd2907e2c74c9a908e2af5f948006b5

SHA1
a390e9133bfd0d55ffda07d4714af538b6d50d3d

SHA256
f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95

SHA512
8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

Download Submit
C:\Windows\msagent\intl\Agt0409.dll
Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Windows\msagent\mslwvtts.dll
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Windows\msagent\mslwvtts.dll
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Windows\msagent\mslwvtts.dll
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Windows\msagent\mslwvtts.dll
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
memory/1556-444-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1556-446-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1556-445-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1556-440-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1556-442-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1556-443-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1556-438-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1556-439-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1556-441-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/3276-2621-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5420-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4446-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4445-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4443-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4428-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4427-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4423-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4083-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-2769-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-2600-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3276-2603-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-2608-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-2609-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-2615-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-2623-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4449-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-2617-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5400-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5409-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5410-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4447-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5421-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5422-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5423-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4450-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5461-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5462-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5477-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5478-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5479-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5480-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5482-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5483-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5484-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5486-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5494-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5495-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5496-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5498-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-5499-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4451-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3276-4452-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download