Analysis Overview
Threat Level: Likely malicious
The file https://github.com/TheDarkMythos/windows-malware was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Downloads MZ/PE file
Possible privilege escalation attempt
Modifies AppInit DLL entries
Modifies Installed Components in the registry
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Enumerates connected drives
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-23 21:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-23 21:50
Reported
2024-03-23 22:01
Platform
win10v2004-20240226-en
Max time kernel
156s
Max time network
635s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Downloads MZ/PE file
Modifies AppInit DLL entries
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\msvcp50.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SETACCA.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\SysWOW64\SETACCA.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\msagent\AgentSvr.exe | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA4ED.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA4FE.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\mslwvtts.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA56F.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\INF\SETACC9.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA48A.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentAnm.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDp2.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\chars\Bonzi.acs | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentCtl.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA4ED.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\intl\Agt0409.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tv_enua.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\SETACC7.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\fonts\SETACC8.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA478.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\intl\SETA56E.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\help\SETA55D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA48B.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA49C.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentSR.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\agtinst.inf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\tv_enua.hlp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA489.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\SETACC6.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tvenuax.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\INF\SETA4FD.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\SETA4FD.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\tv\SETACC6.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDPv.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\SETACB6.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\tv\SETACB6.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\fonts\andmoipa.ttf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\intl\SETA56E.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentMPx.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA4CD.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\help\SETACC7.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\finalDestruction.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File created | C:\Windows\msagent\SETA48B.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA4CD.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA4FE.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgtCtl15.tlb | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA49C.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA489.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA48A.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA4CC.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA56F.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\fonts\SETACC8.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\SETACC9.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETA478.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SETA4CC.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentPsh.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\help\SETA55D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\help\Agt0409.hlp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\tv_enua.inf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\executables.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133557042386130125" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacters" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575} | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputProperties" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FF-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent DocFile Provider 2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\ = "Microsoft Agent Server Extensions 2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\ = "IAgentCtlCommandsWindow" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0\0\win32 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA141FD0-AC7F-11d1-97A3-0060082730FF}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA141FD0-AC7F-11d1-97A3-0060082730FF}\ = "Lernout & Hauspie TruVoice English Text to Speech Engine" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\ = "IAgentCtlRequest" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\ = "IAgent" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575} | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0\win32\ = "C:\\Windows\\msagent\\AgentSvr.exe\\2" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{8B178D97-5183-44B2-8D62-36C1B79977B1} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\shellex | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/TheDarkMythos/windows-malware
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb0d19758,0x7fffb0d19768,0x7fffb0d19778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3224 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4972 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4852 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=744 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1908,i,12151276972519147495,1391578968934937225,131072 /prefetch:8
C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)
C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x300
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\notepad.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\notepad.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\notepad.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\PrintDialog\PrintDialog.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\PrintDialog\PrintDialog.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\PrintDialog\PrintDialog.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\regedit.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\regedit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\regedit.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\TrustedInstaller.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\servicing\TrustedInstaller.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\servicing\TrustedInstaller.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Speech\Common\sapisvr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Speech\Common\sapisvr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Speech\Common\sapisvr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\splwow64.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\splwow64.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\splwow64.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\sysmon.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\sysmon.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\sysmon.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\agentactivationruntimestarter.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\agentactivationruntimestarter.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\agentactivationruntimestarter.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\appidtel.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\appidtel.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\appidtel.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ARP.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ARP.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ARP.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\at.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\at.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\at.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\AtBroker.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\AtBroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\AtBroker.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\attrib.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\attrib.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\attrib.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\auditpol.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\auditpol.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\auditpol.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autochk.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\autochk.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\autochk.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autoconv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\autoconv.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\autoconv.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autofmt.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\autofmt.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\autofmt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\backgroundTaskHost.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\backgroundTaskHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\backgroundTaskHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\BackgroundTransferHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\BackgroundTransferHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\BackgroundTransferHost.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bitsadmin.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\bitsadmin.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\bitsadmin.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bootcfg.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5604 -s 5988
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\bootcfg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\bootcfg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bthudtask.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\bthudtask.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\bthudtask.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ByteCodeGenerator.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ByteCodeGenerator.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ByteCodeGenerator.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cacls.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cacls.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cacls.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\calc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\calc.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\calc.exe" /grant "everyone":(f)
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 1156 -ip 1156
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CameraSettingsUIHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CameraSettingsUIHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CameraSettingsUIHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CertEnrollCtrl.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CertEnrollCtrl.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CertEnrollCtrl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certreq.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\certreq.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\certreq.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certutil.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\certutil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\certutil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\charmap.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\charmap.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\charmap.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CheckNetIsolation.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CheckNetIsolation.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CheckNetIsolation.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkdsk.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\chkdsk.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\chkdsk.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkntfs.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\chkntfs.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\chkntfs.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\choice.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\choice.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\choice.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cipher.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cipher.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cipher.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cleanmgr.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cleanmgr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cleanmgr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cliconfg.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cliconfg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cliconfg.exe" /grant "everyone":(f)
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 5876 -ip 5876
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\clip.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\clip.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\clip.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CloudNotifications.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CloudNotifications.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CloudNotifications.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmd.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmd.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdkey.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmdkey.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmdkey.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdl32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmdl32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmdl32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmmon32.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmmon32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmmon32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmstp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmstp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmstp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\colorcpl.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\colorcpl.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\colorcpl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\comrepl.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Com\comrepl.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Com\comrepl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\MigRegDB.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Com\MigRegDB.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Com\MigRegDB.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\comp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\comp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\comp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\compact.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\compact.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\compact.exe" /grant "everyone":(f)
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4864 -ip 4864
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ComputerDefaults.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ComputerDefaults.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ComputerDefaults.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\control.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\control.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\control.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\convert.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\convert.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\convert.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CredentialUIBroker.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CredentialUIBroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CredentialUIBroker.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\credwiz.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\credwiz.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\credwiz.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cscript.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cscript.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cscript.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ctfmon.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ctfmon.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ctfmon.exe" /grant "everyone":(f)
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttune.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cttune.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cttune.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttunesvr.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cttunesvr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cttunesvr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\curl.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\curl.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\curl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dccw.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dccw.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dccw.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dcomcnfg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dcomcnfg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dcomcnfg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ddodiag.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ddodiag.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ddodiag.exe" /grant "everyone":(f)
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DevicePairingWizard.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\DevicePairingWizard.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\DevicePairingWizard.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dfrgui.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dfrgui.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dfrgui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dialer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dialer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dialer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskpart.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\diskpart.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\diskpart.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskperf.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\diskperf.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\diskperf.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism\DismHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Dism\DismHost.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Dism\DismHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Dism.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Dism.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dllhost.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dllhost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhst3g.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dllhst3g.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dllhst3g.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\doskey.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\doskey.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\doskey.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpapimig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dpapimig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dpapimig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DpiScaling.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\DpiScaling.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\DpiScaling.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dplaysvr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dplaysvr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dplaysvr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpnsvr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dpnsvr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dpnsvr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\driverquery.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\driverquery.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\driverquery.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dtdump.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dtdump.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dtdump.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dvdplay.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dvdplay.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dvdplay.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DWWIN.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\DWWIN.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\DWWIN.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dxdiag.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dxdiag.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dxdiag.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\EaseOfAccessDialog.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\edpnotify.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\edpnotify.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\edpnotify.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\efsui.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\efsui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\efsui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EhStorAuthn.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\EhStorAuthn.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\EhStorAuthn.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\esentutl.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\esentutl.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\esentutl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eudcedit.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\eudcedit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\eudcedit.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventcreate.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\eventcreate.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\eventcreate.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventvwr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\eventvwr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\eventvwr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\expand.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\expand.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\expand.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\explorer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\explorer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\explorer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\extrac32.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\extrac32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\extrac32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\F12\IEChooser.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\F12\IEChooser.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\F12\IEChooser.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\find.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\find.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\find.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\findstr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\findstr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\findstr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\finger.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\finger.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\finger.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fixmapi.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fixmapi.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fixmapi.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fltMC.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fltMC.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fltMC.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Fondue.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Fondue.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Fondue.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontdrvhost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fontdrvhost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fontdrvhost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontview.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fontview.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fontview.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\forfiles.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\forfiles.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\forfiles.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsquirt.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fsquirt.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fsquirt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsutil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fsutil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fsutil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ftp.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ftp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ftp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GamePanel.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\GamePanel.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\GamePanel.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\getmac.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\getmac.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\getmac.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpresult.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\gpresult.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\gpresult.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpscript.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\gpscript.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\gpscript.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpupdate.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\gpupdate.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\gpupdate.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\grpconv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\grpconv.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\grpconv.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hdwwiz.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\hdwwiz.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\hdwwiz.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\help.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\help.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\help.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hh.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\hh.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\hh.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\HOSTNAME.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\HOSTNAME.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\HOSTNAME.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icacls.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\icacls.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\icacls.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icsunattend.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\icsunattend.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\icsunattend.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ieUnatt.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ieUnatt.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ieUnatt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iexpress.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\iexpress.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\iexpress.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\imjpuexc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMETC\IMTCPROP.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMCCPHR.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\imecfmui.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\imecfmui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\imecfmui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InfDefaultInstall.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InfDefaultInstall.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InfDefaultInstall.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InputSwitchToastHandler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InputSwitchToastHandler.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InputSwitchToastHandler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\setup.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InstallShield\setup.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InstallShield\setup.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\_isdel.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InstallShield\_isdel.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InstallShield\_isdel.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\instnm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\instnm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\instnm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ipconfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ipconfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ipconfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iscsicli.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\iscsicli.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 216.58.208.106:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| NL | 216.58.208.106:443 | content-autofill.googleapis.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1900_TZKQSIJXGLKZFTGT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | cbaaa96ad1dfeb3cc3ed00be10ed19e5 |
| SHA1 | adc5b1db561095df67901f57ca38a9650f209976 |
| SHA256 | 6d6c576f23c527bff8c88d31de4429ca4fa62bbfadbd75eb82b113e5d8f9a55c |
| SHA512 | 80b6829cbf165b01bfd708b63cbfb25de88c994b94c6cb46a6f7e412c141206d440e6eb831def964e8d0cb5298e7514ebc4c798a44f553ae246a6785aecbd36c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bfa7db392c15e350649ef259d8591f1f |
| SHA1 | 7cae92b6daac4835cd2cf26e3a74d773658c1e1e |
| SHA256 | ac3a9174d8062e266ad073e692d9195935e09b9c417fc4358cdbbc3fb2070062 |
| SHA512 | 1e641b16aea386f086adf575b4a662d0d5ef748800213dc2b5ca3402491a8c43804688d71ab7e41fbf9fc5c9da7a0d05088717616d156bb836639e2922f8c2cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | bfa8772c6017db8d32d7888946d08acc |
| SHA1 | 67d3468465cbf92189210d2d2fff8bbcee67fd46 |
| SHA256 | c291b9a1d8723ebade39126b99db195dc1e2cda521f6ae506579eeeecdac7c91 |
| SHA512 | 730a49bbac9147493450be7d67ca6c82a72b06f4598bcd8e123a3a096b540f928acd54cf3706f970c409f9504de2f8799ef74e2b956cdb3293aca24d10c407e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4f7c740b07039a469e1bccaeb94afc2c |
| SHA1 | 1430e87707c2799f25f248f9dd812bc8d2f0f3b4 |
| SHA256 | 4841dab32ba261d1f7b7e5b0405b75cc583a70a32e174b8676aa2b845ee02e43 |
| SHA512 | 4b2e799e9264c1c7bc25f27faabf964ae77b0a3278b627910e1b6c8bd81b6273c2d5aaaec6fae5f1d18babe0a428b447f13ecdd846244b206aff81e99d5787e9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 97df762bfcdc254dfe3bc567f2da370b |
| SHA1 | 0769cd70b9f3bd2ad35bc3d1519bf42421211844 |
| SHA256 | a8c897ae76d2ca7d6ab121c957241fe544ca50ec611686a85c6fa4eb45157993 |
| SHA512 | a97658a3287195261bde1ad4f1a5b4a742ef918f9a13c809a700c6bf263051536057fc687add0908bde344afe381d5e24f1365b1e97b9355e8dde2c990a68f6e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c2e313a06a3b8d40080f04bad4545bac |
| SHA1 | ad2d6b4a81f36ed487d2feab492ddd659fceaed8 |
| SHA256 | 2a3d9205f5bb5df9ed0563893273ba2384da73528682e3209b673f9a54a24038 |
| SHA512 | 2d1ce03839fe85d2d9691d998fb009437ef15c6ec73fd7c749c331d2aa06fdcbd918bb8da7db54c295d1beb2218947dfe03b54f752be39a3093f56ba54176c58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 56a590d91325f94f120b308b97487188 |
| SHA1 | 25f6990f92911fad3983fac0e0e2b281aa398019 |
| SHA256 | 968aea986474be7bdda0e5e68752d9ab9024f91b855a0987e0fa5ec091240ca9 |
| SHA512 | e5372f55e16b52af91136fbb0762c26e00d9a3fd6e5d22590496229c44ac853a9752398d2fac1281b1b12e76ce8ae473ed4af576105882454252b5a2cfe375f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d2cb6cb7321440088e73069596b8ed45 |
| SHA1 | 1a7b2d1f71d47e4f10eda3f4fe671a07f8a442cc |
| SHA256 | 9dc74439b7fa02fcd1bdea2d55e9bb2964bc34a96f7f4fe19de9325796cecd7e |
| SHA512 | 9b7b8616ec539f59be5b3f6c3aeb84cf2795265a820f6be531b8dd370021793694b6e9009a3e9b816cdf7ef629d86c317c9b9eb5824cc71178fe393c60aab9ae |
C:\Users\Admin\Downloads\Unconfirmed 739730.crdownload
| MD5 | fba93d8d029e85e0cde3759b7903cee2 |
| SHA1 | 525b1aa549188f4565c75ab69e51f927204ca384 |
| SHA256 | 66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764 |
| SHA512 | 7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\89fa24ac-ddf9-484e-bdc9-14066f4ad47f.tmp
| MD5 | c9f064ff5d21b3b3a9c338b980bda3d2 |
| SHA1 | fcee04c0ea0e1acf46c51f534b9df313cd8cfec2 |
| SHA256 | 78f9c8dd22ad77f329e9cafd5dd522510636aaa1ce2d4f113c0847723dd8264a |
| SHA512 | 1c529bebb27a9f03af732007f8cf3b47afaaf186c97ac5980773219f82b27fb86f2b0ea14c3223b8983be2846b5635b7ffa7dfac8e8c789207f49b4ba58fc201 |
C:\Users\Admin\Downloads\Bonzify.exe
| MD5 | b595d4c9ec0fd3c8a435e392479aa1e4 |
| SHA1 | 3eb0e8b6f6a47354c93c1b8f6ba1b64b3cc5702e |
| SHA256 | 8a4caa4291b7357d12e80650e4ee3f6af44ddbe036c715fa2055ac32158206c8 |
| SHA512 | 0c090d5c514dae2994e7c9a113cad7386d7688f430be1548bac2353678bcd79b083d1bcf6737b5333c1135ab34eaf546f7388f7c7092f5dedc779f7bb006e571 |
C:\Users\Admin\Downloads\Bonzify.exe
| MD5 | d68660dc4fb92681b9207eece0677ffe |
| SHA1 | 0c6f2014ed2239df9e70b5498a00501a91bc369d |
| SHA256 | 5e579809555a0d721e3d02be1b40d994403720897b9e0155aa7196cea728af2c |
| SHA512 | 9a881286a40b71d7c64ed64b0470ec00e9ce00d771ba9969e1b8000370c2591f6698e063d3af71aeb18db3eea25ad7c5245c6973e6dd31522493419eaae011ee |
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
| MD5 | ea7df060b402326b4305241f21f39736 |
| SHA1 | 7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2 |
| SHA256 | e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793 |
| SHA512 | 3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6a601e48a48735301d51b61e5defa1a5 |
| SHA1 | 33775ade94f7eb47b1f152574f73e28dc43c0b9f |
| SHA256 | 0791c225f05536fce5e045c05093c3e676f276db93c633863a22b4a229923d36 |
| SHA512 | 96c183c8b4a08af4ef32d9208f6ef64c81eecd2c52c592bfb268eccc3cb899ce76bf0295a5964759474ecbcc1bb5354fbf26cd82678b71cac69e88ab18ee92fc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 33fced0922170d8daa7e8c198a18464f |
| SHA1 | a27dadc0c422703e78a0fe2b441370102c1be37e |
| SHA256 | 119a152aa1a4f7efe7f256713300df255d4642d537da3bac61ef487a8be44877 |
| SHA512 | 8bbc1385a7ef76add705c7014af56d100bd92833a2ce201ae32a3df4525e37e810572ec5180b9b63b00c019c60d244dc128be17ca59fafde128f61c06228738e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 14b01337c8d4139c3762b3a7e3d4dde1 |
| SHA1 | 6f407032b1a6811606b76d45862186a90bc282eb |
| SHA256 | 7435eb262558ca7cde4a78fc6170e51671833a00b4bf3954938ed7fe3106cedc |
| SHA512 | 548f67bdbd5814634a5e5727bb544d55488cdab19da531f1b36b5193403d660b8c7b5d2d0944e0a647c1e06b3261210e877c688db2169b7ec7474714d9e5a036 |
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
| MD5 | 66996a076065ebdcdac85ff9637ceae0 |
| SHA1 | 4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce |
| SHA256 | 16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa |
| SHA512 | e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c |
C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat
| MD5 | f80e36cd406022944558d8a099db0fa7 |
| SHA1 | fd7e93ca529ed760ff86278fbfa5ba0496e581ce |
| SHA256 | 7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7 |
| SHA512 | 436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
| MD5 | 81e5c8596a7e4e98117f5c5143293020 |
| SHA1 | 45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081 |
| SHA256 | 7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004 |
| SHA512 | 05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF
| MD5 | e4a499b9e1fe33991dbcfb4e926c8821 |
| SHA1 | 951d4750b05ea6a63951a7667566467d01cb2d42 |
| SHA256 | 49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d |
| SHA512 | a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE
| MD5 | 5c91bf20fe3594b81052d131db798575 |
| SHA1 | eab3a7a678528b5b2c60d65b61e475f1b2f45baa |
| SHA256 | e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175 |
| SHA512 | face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL
| MD5 | a334bbf5f5a19b3bdb5b7f1703363981 |
| SHA1 | 6cb50b15c0e7d9401364c0fafeef65774f5d1a2c |
| SHA256 | c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de |
| SHA512 | 1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL
| MD5 | 4fbbaac42cf2ecb83543f262973d07c0 |
| SHA1 | ab1b302d7cce10443dfc14a2eba528a0431e1718 |
| SHA256 | 6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5 |
| SHA512 | 4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL
| MD5 | 48c00a7493b28139cbf197ccc8d1f9ed |
| SHA1 | a25243b06d4bb83f66b7cd738e79fccf9a02b33b |
| SHA256 | 905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7 |
| SHA512 | c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF
| MD5 | b127d9187c6dbb1b948053c7c9a6811f |
| SHA1 | b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9 |
| SHA256 | bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00 |
| SHA512 | 88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL
| MD5 | 316999655fef30c52c3854751c663996 |
| SHA1 | a7862202c3b075bdeb91c5e04fe5ff71907dae59 |
| SHA256 | ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0 |
| SHA512 | 5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL
| MD5 | b4ac608ebf5a8fdefa2d635e83b7c0e8 |
| SHA1 | d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9 |
| SHA256 | 8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f |
| SHA512 | 2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL
| MD5 | 9fafb9d0591f2be4c2a846f63d82d301 |
| SHA1 | 1df97aa4f3722b6695eac457e207a76a6b7457be |
| SHA256 | e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d |
| SHA512 | ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL
| MD5 | 7c5aefb11e797129c9e90f279fbdf71b |
| SHA1 | cb9d9cbfbebb5aed6810a4e424a295c27520576e |
| SHA256 | 394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed |
| SHA512 | df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL
| MD5 | 237e13b95ab37d0141cf0bc585b8db94 |
| SHA1 | 102c6164c21de1f3e0b7d487dd5dc4c5249e0994 |
| SHA256 | d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a |
| SHA512 | 9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP
| MD5 | 466d35e6a22924dd846a043bc7dd94b8 |
| SHA1 | 35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10 |
| SHA256 | e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801 |
| SHA512 | 23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB
| MD5 | f1656b80eaae5e5201dcbfbcd3523691 |
| SHA1 | 6f93d71c210eb59416e31f12e4cc6a0da48de85b |
| SHA256 | 3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2 |
| SHA512 | e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL
| MD5 | 0cbf0f4c9e54d12d34cd1a772ba799e1 |
| SHA1 | 40e55eb54394d17d2d11ca0089b84e97c19634a7 |
| SHA256 | 6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1 |
| SHA512 | bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | e5d1db6a97fd398d0c7f2ec5c3a5ee54 |
| SHA1 | bbeb03cb64d58cca1c91b52e5e938bb9e8d25dd3 |
| SHA256 | f737c901f096bd25936f5621e23c5c3704d38b847ee3690326af6f8c7b7ae9db |
| SHA512 | 5f5781c2756ad6e9c5040bd1ec26c70a2728faefd1db70c0bfc67ace713adaf7a978de13b3f14c7bb6b13b76f6ce964babbf766a7af76504f6582b372da9fed3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a65d.TMP
| MD5 | cda54ad928ddd19e874fa41a2e314ccf |
| SHA1 | 6092e6a9ab0901fd27dc049bd4ee2e425915e012 |
| SHA256 | 3432cea135fbd43a1e5ed5f503dc21ad633a55c11ae3d6d0d31629605a71bec1 |
| SHA512 | ef3e39716d69f625e94142e102d052ebfb99b765a0410bd49b73a82094e7ad4c4632c2f5a6dc55a542d8649b36d51fda97ed9691bef7e7165f42a96d6ace8b16 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 82d55917ea2730310979faf41cfc8754 |
| SHA1 | cffb403eaa545688596343ceb9ec71f897b155ec |
| SHA256 | e674e25bd0925de8a19a88f03de92ceb2f511b2201980ca494c1dd9f2eb5a142 |
| SHA512 | 15f03fda9bf8369f55e34a294d55e6317dcffceccfbc6ca7f24dbee4b575615d83548eb05bb7992fa28f7c5787ba8dc86a20e73e542191be4727e0eb235fdffd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 78d5ccfbf89e2af9e292a2b6356c9418 |
| SHA1 | fd078431ba4a9968f5416460aee363aed3fa5db5 |
| SHA256 | db9d4d2b3c0e81098a30a78440f83d2170851c8c439dca32ec9e83f870ace5bb |
| SHA512 | bd93f7ba8f3cf422111b5a877aa8752ee2cd4ea59634e522b972206d2b34151abd64d544bdf2ef36bd3e48fe487a8a6277d72b1a0112560881d4d0e52dadf549 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 24d3e03ab439a873f1b54a12ad2a737b |
| SHA1 | 02138015103437a8e654ec1377ac3d55b99106c1 |
| SHA256 | c4e15b93c9717ae9f2df7cfccc2143d78657f6c0f0f46a66328afe39039cb8f6 |
| SHA512 | c054c54ba48ea7d266152d5c4e057ad5c3076a5ea577fee6e95be1b9d143a7ade692fc6c5a67f5ef6bdb4d2943143fb5093ebbefa24768193ea8055877fac84a |
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
| MD5 | 3f8f18c9c732151dcdd8e1d8fe655896 |
| SHA1 | 222cc49201aa06313d4d35a62c5d494af49d1a56 |
| SHA256 | 709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331 |
| SHA512 | 398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL
| MD5 | 7210d5407a2d2f52e851604666403024 |
| SHA1 | 242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9 |
| SHA256 | 337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af |
| SHA512 | 1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL
| MD5 | 4be7661c89897eaa9b28dae290c3922f |
| SHA1 | 4c9d25195093fea7c139167f0c5a40e13f3000f2 |
| SHA256 | e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5 |
| SHA512 | 2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf
| MD5 | 0a250bb34cfa851e3dd1804251c93f25 |
| SHA1 | c10e47a593c37dbb7226f65ad490ff65d9c73a34 |
| SHA256 | 85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae |
| SHA512 | 8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll
| MD5 | ed98e67fa8cc190aad0757cd620e6b77 |
| SHA1 | 0317b10cdb8ac080ba2919e2c04058f1b6f2f94d |
| SHA256 | e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d |
| SHA512 | ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll
| MD5 | 1587bf2e99abeeae856f33bf98d3512e |
| SHA1 | aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9 |
| SHA256 | c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0 |
| SHA512 | 43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll
| MD5 | 497fd4a8f5c4fcdaaac1f761a92a366a |
| SHA1 | 81617006e93f8a171b2c47581c1d67fac463dc93 |
| SHA256 | 91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a |
| SHA512 | 73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll
| MD5 | e7cd26405293ee866fefdd715fc8b5e5 |
| SHA1 | 6326412d0ea86add8355c76f09dfc5e7942f9c11 |
| SHA256 | 647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255 |
| SHA512 | 1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | 0400c42d87b79e8f3e957b0086f1975a |
| SHA1 | da46d3177ef1a6392fdbaed1cfefe4e4e70f6b20 |
| SHA256 | 222a04634675d7f3034f9f17a7dcf7418796e53052027d4c1a4972f683184a8b |
| SHA512 | 842541b057e21bb68a83c3022edd1da30437cbf2ca2086e854a1805115da04eae36c4a8c444d963e40e26321679ae99ce4ec0313c82cd453f9e6f683e85b7929 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf
| MD5 | c3e8aeabd1b692a9a6c5246f8dcaa7c9 |
| SHA1 | 4567ea5044a3cef9cb803210a70866d83535ed31 |
| SHA256 | 38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e |
| SHA512 | f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp
| MD5 | 80d09149ca264c93e7d810aac6411d1d |
| SHA1 | 96e8ddc1d257097991f9cc9aaf38c77add3d6118 |
| SHA256 | 382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42 |
| SHA512 | 8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9 |
C:\Windows\msagent\chars\Bonzi.acs
| MD5 | 4abccde77860b386cb703dd0cfc72585 |
| SHA1 | c5f4dd9059a6a2ba093c0c633a21149ce0fa0a2f |
| SHA256 | 07f5bd1c7c3d9bd916aee56884604856787c123f100301120a674623227f6304 |
| SHA512 | b737d2a4e764db2a550e717a145a2e349bdee03d619d4c93117d8c0ee0dcc9d048b27d97ef85e543c4965baafbbe3a397919c2bd9753c69ad65e54fa1f8efa6f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | 5d2d6696c42d2f765705efd8cfd5b434 |
| SHA1 | 43b10cf3c2f3e7c46b4e6adb5f57e7a5d9cf502a |
| SHA256 | b9a6417d3bb0776a884f262c8df2f37b59f647e91b4b95e28f92f0c42cde2440 |
| SHA512 | d31dd7d0ab05aa7f2e5b46bd7bafa22a9910d58cbd840ab84d701aec7da74fd677406e258eb0599e57fec8fbe1ff053aeabe619bbb5c463d76de038cceb77071 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | 02fd8612a5bd27e9fc4e895b0fce88af |
| SHA1 | ca013f69690caf9e9a8c908cc7447bbd5ee59208 |
| SHA256 | 542b2ed377fab7b33e844074dc80b50a93bd7c2e73c99f556db28040d022a8a7 |
| SHA512 | 6b1be7e8afde9752d3903842728258ce940568f4b06985f5609de9bd3200178cb5596c1cbe7e1e97fd206d4b844cabc609f8a1ba2949cff39eccf0269215b2a8 |
memory/5236-798-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/2260-804-0x0000029B7F580000-0x0000029B7F5A0000-memory.dmp
memory/2260-806-0x0000029B7F540000-0x0000029B7F560000-memory.dmp
memory/2260-808-0x0000029B7F950000-0x0000029B7F970000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133557043421241375.txt
| MD5 | 80dffedad36ef4c303579f8c9be9dbd7 |
| SHA1 | 792ca2a83d616ca82d973ece361ed9e95c95a0d8 |
| SHA256 | 590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e |
| SHA512 | 826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea |
memory/5772-832-0x0000000002BA0000-0x0000000002BA1000-memory.dmp
memory/1156-838-0x0000025C001E0000-0x0000025C00200000-memory.dmp
memory/1156-840-0x0000025C001A0000-0x0000025C001C0000-memory.dmp
memory/1156-843-0x0000025C007B0000-0x0000025C007D0000-memory.dmp
memory/1156-850-0x0000025C7D5A0000-0x0000025C7EECF000-memory.dmp
memory/4864-854-0x00000000035F0000-0x00000000035F1000-memory.dmp
memory/3572-861-0x000001DED7170000-0x000001DED7190000-memory.dmp
memory/3572-863-0x000001DED7130000-0x000001DED7150000-memory.dmp
memory/3572-866-0x000001DED7540000-0x000001DED7560000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SL9YLD9N\microsoft.windows[1].xml
| MD5 | bb7934efe1e99dde2a4be53178ce8fd7 |
| SHA1 | 49e6b2f364b597c34832d1878259d5eb671f21a4 |
| SHA256 | 11904522eefd80ce753b37f72e745a251ea2a9bd65cbccbc8993944280db3426 |
| SHA512 | 23ae797546cd1b9884c23e593c371e99ec872b54d5f0856729137ad78507e6e120de7bc75aa7dd7c7556217a628bcf8824175ea0982d6c3236cd22b15455c1d6 |
memory/3572-875-0x000001D6D5000000-0x000001D6D692F000-memory.dmp
memory/5276-878-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
memory/5920-885-0x00000224F4400000-0x00000224F4420000-memory.dmp
memory/5920-887-0x00000224F43C0000-0x00000224F43E0000-memory.dmp
memory/5920-891-0x00000224F47D0000-0x00000224F47F0000-memory.dmp
memory/5748-900-0x0000000004840000-0x0000000004841000-memory.dmp
memory/4304-907-0x000002207C9A0000-0x000002207C9C0000-memory.dmp
memory/4304-909-0x000002207C960000-0x000002207C980000-memory.dmp
memory/4304-913-0x000002207CD70000-0x000002207CD90000-memory.dmp
memory/2248-924-0x00000000043C0000-0x00000000043C1000-memory.dmp
memory/1548-931-0x0000028FFD360000-0x0000028FFD380000-memory.dmp
memory/1548-933-0x0000028FFD320000-0x0000028FFD340000-memory.dmp
memory/1548-937-0x0000028FFD730000-0x0000028FFD750000-memory.dmp
memory/5036-944-0x0000000003F50000-0x0000000003F51000-memory.dmp
memory/4584-951-0x000001CDEDEA0000-0x000001CDEDEC0000-memory.dmp
memory/4584-954-0x000001CDEDE60000-0x000001CDEDE80000-memory.dmp
memory/4584-956-0x000001CDEE510000-0x000001CDEE530000-memory.dmp
memory/5188-968-0x0000000004230000-0x0000000004231000-memory.dmp
memory/3920-975-0x00000239832D0000-0x00000239832F0000-memory.dmp
memory/3920-978-0x0000023983290000-0x00000239832B0000-memory.dmp
memory/3920-981-0x0000023983930000-0x0000023983950000-memory.dmp
memory/4156-991-0x0000000004030000-0x0000000004031000-memory.dmp
memory/2296-997-0x000002BD3DE40000-0x000002BD3DE60000-memory.dmp
memory/2296-999-0x000002BD3DE00000-0x000002BD3DE20000-memory.dmp
memory/2296-1001-0x000002BD3E250000-0x000002BD3E270000-memory.dmp
memory/2212-1018-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/100-1025-0x000001CA42170000-0x000001CA42190000-memory.dmp
memory/100-1027-0x000001CA42130000-0x000001CA42150000-memory.dmp
memory/100-1029-0x000001CA42540000-0x000001CA42560000-memory.dmp
memory/5060-1040-0x00000000049E0000-0x00000000049E1000-memory.dmp
memory/5764-1047-0x0000016094290000-0x00000160942B0000-memory.dmp
memory/5764-1050-0x0000016094250000-0x0000016094270000-memory.dmp
memory/5764-1052-0x0000016094860000-0x0000016094880000-memory.dmp
memory/4120-1063-0x0000000002E20000-0x0000000002E21000-memory.dmp
memory/5904-1069-0x000001FE36520000-0x000001FE36540000-memory.dmp
memory/5904-1072-0x000001FE361D0000-0x000001FE361F0000-memory.dmp
memory/5904-1075-0x000001FE368E0000-0x000001FE36900000-memory.dmp
memory/5040-1082-0x00000000049B0000-0x00000000049B1000-memory.dmp
memory/4944-1088-0x0000020EDAC20000-0x0000020EDAC40000-memory.dmp
memory/4944-1090-0x0000020EDABE0000-0x0000020EDAC00000-memory.dmp
memory/4944-1095-0x0000020EDAFF0000-0x0000020EDB010000-memory.dmp
memory/5516-1104-0x0000000004650000-0x0000000004651000-memory.dmp
memory/6016-1108-0x00000205F9640000-0x00000205F9650000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
| MD5 | 0e2a09c8b94747fa78ec836b5711c0c0 |
| SHA1 | 92495421ad887f27f53784c470884802797025ad |
| SHA256 | 0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36 |
| SHA512 | 61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
| MD5 | fb5f8866e1f4c9c1c7f4d377934ff4b2 |
| SHA1 | d0a329e387fb7bcba205364938417a67dbb4118a |
| SHA256 | 1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170 |
| SHA512 | 0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
| MD5 | b97fe23281e2528f3b030ee2fae89866 |
| SHA1 | 8b3cec9d5ed6100a89fc354d343951680ec0dd4a |
| SHA256 | 937b6cbbc24ca44fe355c46ea3813ff4d8f5fe5d8c54a146f4bd519c5c6726cb |
| SHA512 | 50a77155ef50c2e95ee9787b8a401505725ee8c0e0b43cbaceba27e8402fd1e10e300dac05bccde889ce979e25a8e1a458a2c8f13bc738f12746c219a15e6382 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed03b00f-a491-49b8-9e2a-689f8d47b3b9}\0.0.filtertrie.intermediate.txt
| MD5 | bb3efc4678c65bea22cf9b1000554d6a |
| SHA1 | bcfc7c481d46e96b3ee85356345e2c9c627c9fc0 |
| SHA256 | 581e702dfc5b28e4878b457eb9b75695edd84284966323b3041339fca3abeeee |
| SHA512 | 048aafd9c02154b60a8f8bc68921727f37cefa683954cbaec183615b4b1fc5a5dd4ac5f79c97a802888fce45be09d16fc19d8a8048b45ed75f38371f703b92cb |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed03b00f-a491-49b8-9e2a-689f8d47b3b9}\0.1.filtertrie.intermediate.txt
| MD5 | 34bd1dfb9f72cf4f86e6df6da0a9e49a |
| SHA1 | 5f96d66f33c81c0b10df2128d3860e3cb7e89563 |
| SHA256 | 8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c |
| SHA512 | e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed03b00f-a491-49b8-9e2a-689f8d47b3b9}\0.2.filtertrie.intermediate.txt
| MD5 | c204e9faaf8565ad333828beff2d786e |
| SHA1 | 7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1 |
| SHA256 | d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f |
| SHA512 | e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed03b00f-a491-49b8-9e2a-689f8d47b3b9}\Apps.index
| MD5 | 5f7c5e66ba315e514d545000d1641a5b |
| SHA1 | 82d79c776959637af65ec3928e2f216db5691843 |
| SHA256 | 2a3056fde926e91dce686884443cfb34c7d62d2c3cd9cb35dc125b739bc78f1c |
| SHA512 | 959751adff1ac5d8026db50163a679e459484d76f98880cb7e9ede3b17e606311fa6f212eba88253ccea924222c7a6b0e505c83a520b0be303db687264ceba97 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5c6aef82e50d05ffc0cf52a6c6d69c91 |
| SHA1 | c203efe5b45b0630fee7bd364fe7d63b769e2351 |
| SHA256 | d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32 |
| SHA512 | 77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7c6136bc98a5aedca2ea3004e9fbe67d |
| SHA1 | 74318d997f4c9c351eef86d040bc9b085ce1ad4f |
| SHA256 | 50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2 |
| SHA512 | 2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1d833669159eee5600103ca7e8c2318c |
| SHA1 | 792ee9ed19953d0ef5fe74f3dc9dd22bd933f970 |
| SHA256 | d05504f95c2e2a861c51169ca69092a7f620bbd8af5347e8c595096caf98e57a |
| SHA512 | 7fef06f5b84f44be21943bd42c96f3c89a1f42c940229ec1ea7de996d3e2a7073ff5d3595ab6a89307063e539264c11475d718199cd933e643a9b2d34d65bc41 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 841bceb847c98a7a3c13c999b38b6b8f |
| SHA1 | 8a5ce9ac2cd638370ee1a568219c828a1e783932 |
| SHA256 | ba3d3a94150f31c8524259838294db23b9715dadfc8a37249462b9c5d3ef3884 |
| SHA512 | 04284cd1b12a287da0edd730f11b8d806e7caf056e21e9b6b2db77c8878f0d52a2028c2c527a3d61bfe4f9f691adf0e9e920c70f6abe19e73c302c8a87365aa5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c2c5299a5d413c4e47efb9df3a5ba928 |
| SHA1 | ce18c23009da7ac845f96f2690ee0323cf45c861 |
| SHA256 | c711b5d6467819b8a56933efc6955df8f929b90f43d9c5793529e2f3a4c2a81f |
| SHA512 | c73e7b17620bf8de61b9e89f7b312bbebd2504c2058f3d4d87be03471eb7684a6f776ba894afa51823226253b8910ec53c10eeddf814a529d5bc6a6d81db32bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1608baf01587337bf757fb2cf1929f07 |
| SHA1 | ca79b48095c14609c60e2679784ed61139ef9346 |
| SHA256 | 165793c10d0e6dfb02cde585f38e5bd3c2f06274858b5db271f8b89cfb22c5be |
| SHA512 | 73a79331c78b4da5ce98b8c6f0bd17526c8cb6bdac105e07413b54550e1c87e9e9d8d45ce8bfb24cc529c8e628f89ae96ac953ebb8bbd61d36e6b7fa7b214907 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 015636cca25bd6cbce481ce56ddcb3c8 |
| SHA1 | 06f59e0ea1c8d025ee3bf1b8d80b1dc1fdaee342 |
| SHA256 | 1cc6ac6be3a14bcc3b47734997d2d0c2599e0c3a4cad418f831965e61c30849e |
| SHA512 | dee33c65ccfb482abf506afa4be0a6c9641289fb3da0daa7c1b0e7d3ab536596046ac64b8a595fe917104b6ca4ce5b0d0d774e390fae9998c79186540380515d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9bd486eae435a3c1a5fa8f177306b0d6 |
| SHA1 | 34b63fc0475316f43c5ae6f0d36fe986e6d3d6a8 |
| SHA256 | 497e02af203638ab7028a6a8b74701c6b3f3de852da59e1819b3aa6f5a46465a |
| SHA512 | 1a18b6e60039f3108169395b82b4060a99a159b9c31ecccbf4f59e63594a8dc1875aa57ca56fb880419e9e20908e5db7f827465ac1c474129059dfdc936d32b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7a48f43aeb85f5633d22fd1fc3ea891b |
| SHA1 | 15bebbda44f6e9cc0525acb27f8621c1667487b3 |
| SHA256 | fd2378530bc3ddacbdc56d49b804f0eac267029b614accba3f2e0cd2a774edaf |
| SHA512 | 4aed73161a52fba3501ec1365d5ff6bbf2f9119f621ad3500092732162665d8fe1b6124f1baffbf5e06cf862f44e4ae2c592288a75312566c379f99b8cc2286a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 970d84d721a6ff1b9e26e942720d7ec2 |
| SHA1 | 781ef37a5697c7f9e9695b30a8b8314f7a41112f |
| SHA256 | 886475ffb55cf3f230cba952ef3bab0af950284044507f9bbb4ff91e297cfffd |
| SHA512 | aca7bfecbc144f9cb3597eec8c8f0d90a88b68e45c3cb7dd82abdee64009fd63405144ec90cd91797ebb7d6ca5298bb00cbc79c505a649039f8dcf7147e47eb8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 74970fd345166016131345c46a45b30a |
| SHA1 | 2d8783ad813ff271aa1a0ba7fa63005d8504de38 |
| SHA256 | dd0148b3850ebd7e1faa7c28506d94704d2b30f227b32b66d3865edbee8ba18f |
| SHA512 | 773f9c00a379352c35875985b46d9d712c3e95f1337527d53c6610b397b75c96cd10557092f5e67c0cbf365d9da56a8c1bd3174a81e647d80af14bc062110d1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b4afef350f3db3ca2ecf887a313bd27c |
| SHA1 | 9033b1f2ce6362def6b7335831a8ae6c56b041d6 |
| SHA256 | d2d79a6a1fe4539c37ebb16aeca2f189cfec962b48f4245b421ef0300e28e44a |
| SHA512 | 7852462a0876edfb1c57d5b73b4ef5a1dc84a8f76ff1f992c56ae13503e54e584a5ac2383b3cce5f0b518b2ee375e9be27fc234cb754ea311a03ebd1453c2849 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 83e80c4bcc218ffbae42835fe32e3235 |
| SHA1 | 6256941ab6a932a8f1368047eeda50a41f169a7e |
| SHA256 | 3578a868dbe19fa9ef4f3e8fbaee1345f28fb32cd0fab4d96c52ef71975fe0ce |
| SHA512 | eaf9927e585898d7b5959541c2e94940d7648d8ed8cc3e9ca46ce8be5046b72f02f1231b8f87a8ffdcfc137004fa988ad24aa2b1ec1fece8d91cc4e387e7906c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 82af843b31cddacce1fce3afb9fe8a09 |
| SHA1 | d1945725e7ea5003e63bced70f61a96e7709bb28 |
| SHA256 | f08d3f16e2a0a8745b26815b47f8802354d90e6cc0a97498042f4dc5e4d201b9 |
| SHA512 | 41c5379a702133303bceb8f40b20460b430f41985819722c92b020bbdc71a1af8e563b7ece20df2b16e6d17e8950d18bb32b852e6fd7de9c18625647b8ea4d8b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4d1728bc4cf7aa29fa953434b43f407d |
| SHA1 | f8f6c8047d81e004a45864f963b80a779b914b20 |
| SHA256 | ac8a87f524cb62cd5fdee314473e8fdee5158fe7fb61400254cbc30a4f059025 |
| SHA512 | c33c73a83011410068013b10e07ed8bfee5858d5d1131e434cb2dac9c3b0a25e6f2087cacbcedb511e6cc5a9dac6ae445dcc17d18a5c2b0d952068d111fdd29a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 56e84f07baebd7676c7aa297a8ca2d7f |
| SHA1 | a66c705859b6030b21d8642f0642228e1a8d55b7 |
| SHA256 | 74ca20b4e8e30c4ec2e36815567d42443193725e393a0f74c85759d53700370a |
| SHA512 | 496257e8d0cd16efb9f683dcc5200744ebc917e0b7a76af2ed07962eb873bf41409f331a6a62b4a891bb9294fa4422f4a84a1749b4bf2bb642ae0df153bcb7ab |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}
| MD5 | 93a41069c98050e3ea095a2185fddce9 |
| SHA1 | 92eecf90eb3e8235397bf0574acf0e7405541b26 |
| SHA256 | 0382664c279fd723231cbef1f76c8592dfa408b3b42dd8f343a21f4e77adc497 |
| SHA512 | 7a36bcf3ef2c41b5084c36404ce692466934931428f2dcaabb86c2a666cf39b53467161a6d13045eb7a68f31461163d869135aca4c744b9215fbb8891b36fc0d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_SkyDrive_Desktop
| MD5 | 2761c23f5ae53a3c1c54e2c5a3b3ec37 |
| SHA1 | 0e8fde1afc62358f737b68d1a6a822f15453e4b1 |
| SHA256 | 8d0c72c48a9c3d67ee4a4747d62fd38d90899a7bf57102a11ed36e90a19241e4 |
| SHA512 | 677ccb7215510fd200275108420451967ae724d00a3e4eac048f48c3663aa34bb8d2c30968eb1b2ce1296d2becf0211341a8135a591ecc7a612b5b2b03c17049 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}
| MD5 | 0705d6835877cf0e3c45fc7427647c75 |
| SHA1 | b03330cd06f821600bb0323e7c2277311f065f6f |
| SHA256 | b04759fee392d36cc20a319943c4ddac356cd1fbed6223a4961688689350a84e |
| SHA512 | 0faaf02180ef6ea2a8a74ab2be7b72be24eff69e5aecdf97bec838a637e7b3efb85ffed32c2e035b2100615e2711cccbe8afe231ec55a7245d00d6c98329d83c |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_InternetExplorer_Default
| MD5 | 3f7a4b60eace07c59ca0c9072fe1a711 |
| SHA1 | 06758e981f2efafb5822873d36b218e40cd7ee94 |
| SHA256 | 8fdc9fdd3adfe90a6bf4765c9b614b7072ece2bfba319d09b8e437b33a59fc4f |
| SHA512 | 1227e79685832d7b850677170bf4e04c895776d05628030267d3d659b675ce85adbe2dd7e2423ba46969264903dd74d4a243b9747e8b07031b11cf7f4a9785fa |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}
| MD5 | e799eff0b7816a5587d146f9bb951f1f |
| SHA1 | 28f99125424d8e0647ed01a21c378362de181cdb |
| SHA256 | daee10eef8cdad237bee08e5429e529bca3b7a10c1bd76578588108a3a6b272b |
| SHA512 | 02ad638295b2a21c3b4367e7f3ef345b81e3ba8c62c61a97ef51b1f102c28b2fd6863f3ca1b3b87051ec95da92c42a8bfcd4e0adf18cebd3de0a2c27a388d563 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe
| MD5 | 4f0414c4ef966619b5cf9b740c9f1096 |
| SHA1 | d136f140bb9aa3d3d9b5aa5dcb413d78b93c71fe |
| SHA256 | bfedb922c2dd20626051ac2dea4f06021eb0a51ed53d901bb7fdc3c27b0c9cc2 |
| SHA512 | bb094fd2695d2ad8f0e1f5ea5652dcf1e377adeb597cc84836aed75685689aa14f622632575bfb59a37ab86610f0595b3897adc6db7278dc141e4ef9495deb38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a2982dcd77a70693cdc8389163758ac6 |
| SHA1 | d4118a83f0d4c0a9546575c31503ae7662f1cdf4 |
| SHA256 | 6673235e06b08eefce5481c7c49d893a5b89d74d372fea7c142c1c3e101d7b87 |
| SHA512 | 447fd110d81240110baf873e01a43b6f17f12ed47ab158e63ba1985d16394e988b58beba024f41b3528ca0185918e3d00a53051287735c0418edb0972115e4eb |