Analysis Overview
Threat Level: Likely malicious
The file http://google.com was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: AppInit DLLs
Possible privilege escalation attempt
Blocklisted process makes network request
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Power Settings
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Access Token Manipulation: Create Process with Token
Event Triggered Execution: Accessibility Features
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-19 15:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 15:51
Reported
2024-06-19 16:15
Platform
win10v2004-20240611-en
Max time kernel
1427s
Max time network
1466s
Command Line
Signatures
Blocklisted process makes network request
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\SET4C7A.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\SysWOW64\SET4C7A.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp50.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\INF\SET4866.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\tv\SET4C47.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\fonts\SET4C69.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\executables.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4864.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentAnm.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\help\Agt0409.hlp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\tv_enua.inf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentSvr.exe | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentMPx.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\fonts\SET4C69.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\tv\SET4C37.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tv_enua.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\SET4C47.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\INF\SET4C79.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\intl\SET4879.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\intl\Agt0409.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4865.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentPsh.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\intl\SET4879.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4850.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4852.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4867.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4865.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\SET4866.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgtCtl15.tlb | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\finalDestruction.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentCtl.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4853.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4851.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\SET4C37.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\help\SET4C58.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET484F.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4850.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\help\SET4868.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDp2.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\mslwvtts.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\SET4C58.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4854.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\agtinst.inf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tvenuax.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\chars\Bonzi.acs | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4851.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4852.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4854.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET4864.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET487A.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET487A.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\fonts\andmoipa.ttf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\SET4C79.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentSR.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4867.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\tv_enua.hlp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET484F.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET4853.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDPv.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\help\SET4868.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Accessibility Features
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632859936901412" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ProxyStubClsid32 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ = "IAgentCtlCharacterEx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ = "IAgentCommandsEx" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575} | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.2\CLSID\ = "{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlBalloon" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCharacter" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32\ = "C:\\Windows\\lhsp\\tv\\tvenuax.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | N/A | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{B8285B3E-B9D0-4521-B1CD-73AA2440CF6E} | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server\CurVer | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 925370.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb32ac46f8,0x7ffb32ac4708,0x7ffb32ac4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4736 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,6172327488404377265,7385428560709000445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmmon32.exe"
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmmon32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmmon32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmstp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmstp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmstp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\colorcpl.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\colorcpl.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\colorcpl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\comrepl.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Com\comrepl.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Com\comrepl.exe" /grant "everyone":(f)
C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\MigRegDB.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Com\MigRegDB.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Com\MigRegDB.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\comp.exe"
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\comp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\comp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\compact.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\compact.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\compact.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ComputerDefaults.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ComputerDefaults.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ComputerDefaults.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\control.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\control.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\control.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\convert.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\convert.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\convert.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CredentialUIBroker.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CredentialUIBroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CredentialUIBroker.exe" /grant "everyone":(f)
C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\credwiz.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\credwiz.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\credwiz.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cscript.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cscript.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cscript.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ctfmon.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ctfmon.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ctfmon.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttune.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cttune.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cttune.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttunesvr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cttunesvr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cttunesvr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\curl.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\curl.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\curl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dccw.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dccw.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dccw.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dcomcnfg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dcomcnfg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dcomcnfg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ddodiag.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ddodiag.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ddodiag.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DevicePairingWizard.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\DevicePairingWizard.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\DevicePairingWizard.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dfrgui.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x498
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dfrgui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dfrgui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dialer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dialer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dialer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskpart.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\diskpart.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\diskpart.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskperf.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\diskperf.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\diskperf.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism\DismHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Dism\DismHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Dism\DismHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Dism.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Dism.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dllhost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhst3g.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dllhst3g.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dllhst3g.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\doskey.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\doskey.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\doskey.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpapimig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dpapimig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dpapimig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DpiScaling.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\DpiScaling.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\DpiScaling.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dplaysvr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dplaysvr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dplaysvr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpnsvr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dpnsvr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dpnsvr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\driverquery.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\driverquery.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\driverquery.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dtdump.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dtdump.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dtdump.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dvdplay.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dvdplay.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dvdplay.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DWWIN.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\DWWIN.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\DWWIN.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dxdiag.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\dxdiag.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\dxdiag.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\EaseOfAccessDialog.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\edpnotify.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\edpnotify.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\edpnotify.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\efsui.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\efsui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\efsui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EhStorAuthn.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\EhStorAuthn.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\EhStorAuthn.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\esentutl.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\esentutl.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\esentutl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eudcedit.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\eudcedit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\eudcedit.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventcreate.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\eventcreate.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\eventcreate.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventvwr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\eventvwr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\eventvwr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\expand.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\expand.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\expand.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\explorer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\explorer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\explorer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\extrac32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\extrac32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\extrac32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\F12\IEChooser.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\F12\IEChooser.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\F12\IEChooser.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\find.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\find.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\find.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\findstr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\findstr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\findstr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\finger.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\finger.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\finger.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fixmapi.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fixmapi.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fixmapi.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fltMC.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fltMC.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fltMC.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Fondue.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Fondue.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Fondue.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontdrvhost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fontdrvhost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fontdrvhost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontview.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fontview.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fontview.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\forfiles.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\forfiles.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\forfiles.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsquirt.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fsquirt.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fsquirt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsutil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\fsutil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\fsutil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ftp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ftp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ftp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GamePanel.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\GamePanel.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\GamePanel.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\getmac.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\getmac.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\getmac.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpresult.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\gpresult.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\gpresult.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpscript.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\gpscript.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\gpscript.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpupdate.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\gpupdate.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\gpupdate.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\grpconv.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\grpconv.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\grpconv.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hdwwiz.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\hdwwiz.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\hdwwiz.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\help.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\help.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\help.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hh.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\hh.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\hh.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\HOSTNAME.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\HOSTNAME.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\HOSTNAME.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icacls.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\icacls.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\icacls.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icsunattend.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\icsunattend.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\icsunattend.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ieUnatt.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ieUnatt.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ieUnatt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iexpress.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\iexpress.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\iexpress.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMEJP\imjpuexc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\IMETC\IMTCPROP.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMCCPHR.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\imecfmui.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\imecfmui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\imecfmui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InfDefaultInstall.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InfDefaultInstall.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InfDefaultInstall.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InputSwitchToastHandler.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InputSwitchToastHandler.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InputSwitchToastHandler.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\setup.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InstallShield\setup.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InstallShield\setup.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\_isdel.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\InstallShield\_isdel.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\InstallShield\_isdel.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\instnm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\instnm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\instnm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ipconfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ipconfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ipconfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iscsicli.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\iscsicli.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\iscsicli.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iscsicpl.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\iscsicpl.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\iscsicpl.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\isoburn.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\isoburn.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\isoburn.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ktmutil.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ktmutil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ktmutil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\label.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\label.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\label.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\LaunchTM.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\LaunchTM.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\LaunchTM.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\LaunchWinApp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\LaunchWinApp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\LaunchWinApp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\lodctr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\lodctr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\lodctr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\logagent.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\logagent.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\logagent.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\logman.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\logman.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\logman.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Magnify.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Magnify.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Magnify.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\makecab.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\makecab.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\makecab.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mavinject.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mavinject.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mavinject.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mcbuilder.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mcbuilder.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mcbuilder.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mfpmp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mfpmp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mfpmp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mmc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mmc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mmc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mmgaserver.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mmgaserver.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mmgaserver.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mobsync.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mobsync.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mobsync.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mountvol.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mountvol.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mountvol.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\MRINFO.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\MRINFO.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\MRINFO.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msdt.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\msdt.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\msdt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msfeedssync.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\msfeedssync.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\msfeedssync.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mshta.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mshta.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mshta.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msiexec.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\msiexec.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\msiexec.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msinfo32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\msinfo32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\msinfo32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mspaint.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mspaint.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mspaint.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msra.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\msra.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\msra.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mstsc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mstsc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mstsc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mtstocom.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\mtstocom.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\mtstocom.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\MuiUnattend.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\MuiUnattend.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\MuiUnattend.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ndadmin.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ndadmin.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ndadmin.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\net.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\net.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\net.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\net1.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\net1.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\net1.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\netbtugc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\netbtugc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\netbtugc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\netiougc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\netiougc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\netiougc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Netplwiz.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Netplwiz.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Netplwiz.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\netsh.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\netsh.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\netsh.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\NETSTAT.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\NETSTAT.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\NETSTAT.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\newdev.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\newdev.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\newdev.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\notepad.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\nslookup.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\nslookup.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\nslookup.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ntprint.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ntprint.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ntprint.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\odbcad32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\odbcad32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\odbcad32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\odbcconf.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\odbcconf.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\odbcconf.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\OneDriveSetup.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\OneDriveSetup.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\OneDriveSetup.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\openfiles.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\openfiles.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\openfiles.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\OpenWith.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\OpenWith.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\OpenWith.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\OposHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\OposHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\OposHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PackagedCWALauncher.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\PackagedCWALauncher.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\PackagedCWALauncher.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PATHPING.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\PATHPING.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\PATHPING.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\pcaui.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\pcaui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\pcaui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\perfhost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\perfhost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\perfhost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\perfmon.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\perfmon.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\perfmon.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PickerHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\PickerHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\PickerHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PING.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\PING.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\PING.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PkgMgr.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\PkgMgr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\PkgMgr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\poqexec.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\poqexec.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\poqexec.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\powercfg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\powercfg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\powercfg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PresentationHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\PresentationHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\PresentationHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\prevhost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\prevhost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\prevhost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\print.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\print.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\print.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\printui.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\printui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\printui.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\proquota.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\proquota.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\proquota.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\provlaunch.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\provlaunch.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\provlaunch.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\psr.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\psr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\psr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\quickassist.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\quickassist.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\quickassist.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rasautou.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\rasautou.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\rasautou.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rasdial.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\rasdial.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\rasdial.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\raserver.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\raserver.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\raserver.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rasphone.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\rasphone.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\rasphone.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RdpSa.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RdpSa.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RdpSa.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RdpSaProxy.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RdpSaProxy.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RdpSaProxy.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RdpSaUacHelper.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RdpSaUacHelper.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RdpSaUacHelper.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rdrleakdiag.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\rdrleakdiag.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\rdrleakdiag.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ReAgentc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ReAgentc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ReAgentc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\recover.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\recover.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\recover.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\reg.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\reg.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\reg.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regedit.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\regedit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\regedit.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regedt32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\regedt32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\regedt32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regini.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\regini.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\regini.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Register-CimProvider.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Register-CimProvider.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Register-CimProvider.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regsvr32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\regsvr32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\regsvr32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rekeywiz.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\rekeywiz.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\rekeywiz.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\relog.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\relog.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\relog.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\replace.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\replace.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\replace.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\resmon.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\resmon.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\resmon.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RMActivate.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RMActivate.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate_isv.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RMActivate_isv.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RMActivate_isv.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate_ssp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RMActivate_ssp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RMActivate_ssp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate_ssp_isv.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RMActivate_ssp_isv.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RMActivate_ssp_isv.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RmClient.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RmClient.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RmClient.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Robocopy.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Robocopy.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Robocopy.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ROUTE.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ROUTE.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ROUTE.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RpcPing.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RpcPing.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RpcPing.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rrinstaller.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\rrinstaller.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\rrinstaller.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\runas.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\runas.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\runas.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rundll32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\rundll32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\rundll32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RunLegacyCPLElevated.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\RunLegacyCPLElevated.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\RunLegacyCPLElevated.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\runonce.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\runonce.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\runonce.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sc.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\schtasks.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\schtasks.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\schtasks.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sdbinst.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sdbinst.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sdbinst.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sdchange.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sdchange.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sdchange.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sdiagnhost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sdiagnhost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sdiagnhost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SearchFilterHost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SearchFilterHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SearchFilterHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SearchIndexer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SearchIndexer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SearchIndexer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SearchProtocolHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SearchProtocolHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SearchProtocolHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SecEdit.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SecEdit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SecEdit.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\secinit.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\secinit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\secinit.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sethc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sethc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sethc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SettingSyncHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SettingSyncHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SettingSyncHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\setup16.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\setup16.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\setup16.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\setupugc.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\setupugc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\setupugc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\setx.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\setx.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\setx.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sfc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sfc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sfc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\shrpubw.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\shrpubw.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\shrpubw.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\shutdown.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\shutdown.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\shutdown.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SndVol.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SndVol.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SndVol.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sort.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sort.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sort.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Speech_OneCore\Common\SpeechModelDownload.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Speech_OneCore\Common\SpeechModelDownload.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Speech_OneCore\Common\SpeechModelDownload.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\srdelayed.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\srdelayed.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\srdelayed.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1700 -s 6456
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\stordiag.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\stordiag.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\subst.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\subst.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\subst.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\svchost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\svchost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\svchost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sxstrace.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sxstrace.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sxstrace.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SyncHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SyncHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SyncHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\systeminfo.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\systeminfo.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\systeminfo.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesAdvanced.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemPropertiesAdvanced.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemPropertiesAdvanced.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesComputerName.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemPropertiesComputerName.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemPropertiesComputerName.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesHardware.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemPropertiesHardware.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemPropertiesHardware.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesPerformance.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemPropertiesPerformance.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemPropertiesPerformance.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesProtection.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemPropertiesProtection.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemPropertiesProtection.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesRemote.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemPropertiesRemote.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemPropertiesRemote.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemUWPLauncher.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\SystemUWPLauncher.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\SystemUWPLauncher.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\systray.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\systray.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\systray.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\takeown.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\takeown.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\takeown.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TapiUnattend.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TapiUnattend.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TapiUnattend.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tar.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\tar.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\tar.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\taskkill.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\taskkill.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\taskkill.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tasklist.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\tasklist.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\tasklist.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Taskmgr.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Taskmgr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Taskmgr.exe" /grant "everyone":(f)
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2900 -s 5740
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tcmsetup.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\tcmsetup.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\tcmsetup.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TCPSVCS.EXE"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TCPSVCS.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TCPSVCS.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ThumbnailExtractionHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ThumbnailExtractionHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ThumbnailExtractionHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\timeout.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\timeout.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\timeout.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TokenBrokerCookies.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TokenBrokerCookies.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TokenBrokerCookies.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TpmInit.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TpmInit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TpmInit.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TpmTool.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TpmTool.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TpmTool.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tracerpt.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\tracerpt.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\tracerpt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TRACERT.EXE"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TRACERT.EXE"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TRACERT.EXE" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TSTheme.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TSTheme.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TSTheme.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TsWpfWrp.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\TsWpfWrp.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\TsWpfWrp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ttdinject.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ttdinject.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ttdinject.exe" /grant "everyone":(f)
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4516 -ip 4516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tttracer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\tttracer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\tttracer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\typeperf.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\typeperf.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\typeperf.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tzutil.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\tzutil.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\tzutil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\unlodctr.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\unlodctr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\unlodctr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\unregmp2.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\unregmp2.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\unregmp2.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\upnpcont.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\upnpcont.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\upnpcont.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\user.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\user.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\user.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\UserAccountBroker.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\UserAccountBroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\UserAccountBroker.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\UserAccountControlSettings.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\UserAccountControlSettings.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\UserAccountControlSettings.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\userinit.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\userinit.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\userinit.exe" /grant "everyone":(f)
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb27fcab58,0x7ffb27fcab68,0x7ffb27fcab78
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Utilman.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1992 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3960 -s 7604
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3876 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:8
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Utilman.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Utilman.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\verclsid.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\verclsid.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\verclsid.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\verifiergui.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\verifiergui.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\verifiergui.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\w32tm.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\w32tm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\w32tm.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\waitfor.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\waitfor.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\waitfor.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wbem\mofcomp.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:8
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wbem\mofcomp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wbem\mofcomp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wbem\WinMgmt.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wbem\WinMgmt.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wbem\WinMgmt.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wbem\WMIADAP.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wbem\WMIADAP.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wbem\WMIADAP.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wbem\WMIC.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wbem\WMIC.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wbem\WMIC.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wbem\WmiPrvSE.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wbem\WmiPrvSE.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wbem\WmiPrvSE.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wecutil.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wecutil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wecutil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\WerFault.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\WerFault.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\WerFault.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\WerFaultSecure.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\WerFaultSecure.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\WerFaultSecure.exe" /grant "everyone":(f)
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wermgr.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wermgr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wermgr.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wevtutil.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wevtutil.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wevtutil.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wextract.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wextract.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wextract.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\where.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\where.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\where.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\whoami.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\whoami.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\whoami.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wiaacmgr.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wiaacmgr.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wiaacmgr.exe" /grant "everyone":(f)
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Windows.Media.BackgroundPlayback.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:8
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Windows.Media.BackgroundPlayback.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Windows.Media.BackgroundPlayback.exe" /grant "everyone":(f)
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Windows.WARP.JITService.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Windows.WARP.JITService.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Windows.WARP.JITService.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\winrs.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\winrs.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\winrshost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\winrshost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\winrshost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\WinRTNetMUAHostServer.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\WinRTNetMUAHostServer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\WinRTNetMUAHostServer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\winver.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\winver.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\winver.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wlanext.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wlanext.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wlanext.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\wowreg32.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\wowreg32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\wowreg32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\WPDShextAutoplay.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\WPDShextAutoplay.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\WPDShextAutoplay.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\write.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\write.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3848 --field-trial-handle=2212,i,5939824463638300879,1140138803721417414,131072 /prefetch:1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\write.exe" /grant "everyone":(f)
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1192 -ip 1192
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| GB | 142.250.178.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.187.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | lh5.googleusercontent.com | udp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 172.217.16.225:443 | lh5.googleusercontent.com | tcp |
| GB | 172.217.16.225:443 | lh5.googleusercontent.com | udp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 142.250.200.35:443 | id.google.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.16.238:443 | www.youtube.com | udp |
| GB | 216.58.213.22:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 22.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| GB | 172.217.169.46:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| GB | 216.58.213.6:443 | static.doubleclick.net | tcp |
| GB | 172.217.16.234:443 | jnn-pa.googleapis.com | tcp |
| GB | 172.217.16.234:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 226.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| GB | 172.217.169.46:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| GB | 172.217.169.46:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| GB | 172.217.169.46:443 | www.youtube.com | udp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.quora.com | udp |
| US | 162.159.153.247:443 | www.quora.com | tcp |
| US | 162.159.153.247:443 | www.quora.com | tcp |
| US | 8.8.8.8:53 | 247.153.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qsbr.cf2.quoracdn.net | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 104.19.177.52:443 | cdn.cookielaw.org | tcp |
| US | 162.159.153.247:443 | qsbr.cf2.quoracdn.net | udp |
| US | 8.8.8.8:53 | qph.cf2.quoracdn.net | udp |
| US | 8.8.8.8:53 | qsf.fs.quoracdn.net | udp |
| US | 8.8.8.8:53 | 52.177.19.104.in-addr.arpa | udp |
| US | 104.19.177.52:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | btloader.com | udp |
| US | 8.8.8.8:53 | cdn.sprig.com | udp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| BG | 18.244.87.95:443 | cdn.sprig.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| US | 172.64.155.119:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | api.btloader.com | udp |
| US | 8.8.8.8:53 | ad-delivery.net | udp |
| US | 130.211.23.194:443 | api.btloader.com | tcp |
| US | 104.26.2.70:443 | ad-delivery.net | tcp |
| US | 104.26.2.70:443 | ad-delivery.net | tcp |
| US | 104.26.2.70:443 | ad-delivery.net | tcp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | api.sprig.com | udp |
| US | 130.211.23.194:443 | api.btloader.com | udp |
| US | 34.198.52.31:443 | api.sprig.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 60.41.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.87.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.203.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.23.211.130.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.52.198.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 151.101.192.176:443 | js.stripe.com | tcp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | tch732884.tch.quora.com | udp |
| US | 8.8.8.8:53 | m.stripe.network | udp |
| US | 54.163.139.164:443 | tch732884.tch.quora.com | tcp |
| US | 8.8.8.8:53 | 176.192.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.139.163.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.youtube.com | udp |
| US | 8.8.8.8:53 | privacyportal.onetrust.com | udp |
| US | 172.64.155.119:443 | privacyportal.onetrust.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 216.58.204.67:443 | id.google.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 172.217.16.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.78:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.246:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.213.6:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| GB | 142.250.187.234:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.187.234:443 | jnn-pa.googleapis.com | udp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 98.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| GB | 172.217.169.46:443 | www.youtube.com | udp |
| GB | 172.217.169.46:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| GB | 216.58.204.67:443 | id.google.com | udp |
| US | 8.8.8.8:53 | security.stackexchange.com | udp |
| US | 172.64.144.30:443 | security.stackexchange.com | tcp |
| US | 172.64.144.30:443 | security.stackexchange.com | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | cdn.sstatic.net | udp |
| US | 172.64.147.34:443 | cdn.sstatic.net | tcp |
| US | 172.64.147.34:443 | cdn.sstatic.net | tcp |
| US | 172.64.147.34:443 | cdn.sstatic.net | tcp |
| US | 172.64.147.34:443 | cdn.sstatic.net | tcp |
| US | 172.64.147.34:443 | cdn.sstatic.net | tcp |
| GB | 142.250.187.234:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 8.8.8.8:53 | i.sstatic.net | udp |
| US | 8.8.8.8:53 | www.gravatar.com | udp |
| US | 104.19.177.52:443 | cdn.cookielaw.org | tcp |
| US | 104.18.41.33:443 | i.sstatic.net | tcp |
| US | 192.0.73.2:443 | www.gravatar.com | tcp |
| US | 8.8.8.8:53 | 30.144.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.147.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pub.doubleverify.com | udp |
| US | 104.18.167.224:443 | pub.doubleverify.com | tcp |
| US | 104.19.177.52:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 104.18.167.224:443 | pub.doubleverify.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| GB | 142.250.187.234:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | qa.sockets.stackexchange.com | udp |
| US | 172.64.155.119:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 104.18.167.224:443 | pub.doubleverify.com | udp |
| US | 172.64.152.233:443 | qa.sockets.stackexchange.com | tcp |
| US | 8.8.8.8:53 | 33.41.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.73.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.167.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f7a40ec39b8e6e370f162ae23e434c9c.safeframe.googlesyndication.com | udp |
| GB | 172.217.169.65:443 | f7a40ec39b8e6e370f162ae23e434c9c.safeframe.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | tcp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | 233.152.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | 35.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| GB | 172.217.169.3:443 | beacons.gvt2.com | tcp |
| GB | 172.217.169.3:443 | beacons.gvt2.com | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 142.250.200.3:443 | id.google.com | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 216.58.212.246:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 246.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 216.58.212.226:443 | googleads.g.doubleclick.net | udp |
| GB | 216.58.213.6:443 | static.doubleclick.net | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| GB | 172.217.169.10:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b4a74bc775caf3de7fc9cde3c30ce482 |
| SHA1 | c6ed3161390e5493f71182a6cb98d51c9063775d |
| SHA256 | dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280 |
| SHA512 | 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f |
\??\pipe\LOCAL\crashpad_4616_JVUVNLXHDKUYODVN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c5abc082d9d9307e797b7e89a2f755f4 |
| SHA1 | 54c442690a8727f1d3453b6452198d3ec4ec13df |
| SHA256 | a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716 |
| SHA512 | ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 186b381eb588f414adf060526f907360 |
| SHA1 | b7b1f69e9b59cc40f25ec8245a73d9d2965ae45d |
| SHA256 | 8df44c58a4e136072eea509a75d6ced8f04f5a026c96fcf9138a582a580241c6 |
| SHA512 | 34ca1e1858990f6b904ccbd5fbb19ad71678c5d2eef9ec9cb8c4bd93dd739aab6c8b8d8fadb4ff8080fdc35030c4bb8fa71e58e4472e0d444fc380fb9736a9e1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9b6224739bcc0d2c608862a0cb170db8 |
| SHA1 | f7200d269ea8b7f460ec5ae169308dd0c9a34417 |
| SHA256 | ed37cccc9f26bef877056803971de5d61cc9ddfee13c892e706b65ecb2d59d1a |
| SHA512 | 88f1db1fd0f8968e255cf53b847dcb9ae1c80224b5cfd78f374472c3b04f74fa75ad38f38b7060ec58b60186d488f89185ca748c3026ef4d2ab26baa4ce12875 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 42a253f1657445d28739f00186b2f6a5 |
| SHA1 | 44f178b195eef273755a148fc3bfb0cb32a689b0 |
| SHA256 | 5a5534168ad2694fda90fd828fcdd397b07a0b886f16144e2db9ec85ec2c00dc |
| SHA512 | 948ad9193bc5575d4627eec9208242c4f44cfcd14be3389c03daaa2911905f8c662671299456900addace9fe8eaf04a3dc61b4e3fc37e5971ecb0ee1f21b8ca0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | eff4889cb73a86d9d3ca336c1f02a24f |
| SHA1 | c591e07662b1cf64e793a037027421b8cdbf84fb |
| SHA256 | a9e456107717a4988e79cbc9d58e2a1d4015205198acd9ac3130a4efb233a2c6 |
| SHA512 | 7d1b179d1881122dd8ee59463961e25d5e13315cfa9f1023e09e5a372cb4d9846e4010e88e988ab1c00ef9ffad5dd7127cc7f0acb5cd8b143b0be22baa27c2e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | a2373cb5ceef0437b2b3434044c710f7 |
| SHA1 | b57ace6569dcdc28bebfa1089349c034eedce90f |
| SHA256 | 93366abafbff2eadb281eae46be3198eee6131e80abfd3c760f38ca45525c88e |
| SHA512 | f0611cbf66722e70c253e0d1ae960021ab47c9a0f02f75fc1304f1199eb46c2ca49b6e6dbce83884948e6933d0e18ee8aa31343a946e3c11d118e3d7769d4df2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 2892eee3e20e19a9ba77be6913508a54 |
| SHA1 | 7c4ef82faa28393c739c517d706ac6919a8ffc49 |
| SHA256 | 4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2 |
| SHA512 | b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3d0d93c29f185e0c5cb05d8831d8c3bf |
| SHA1 | 247d5d08d2fe33bd659c709ba65d8f2949c48414 |
| SHA256 | feb0b67f5eac2e8571f4004de10d36b262104d9fdf2494438d024f716156e6e9 |
| SHA512 | f7ea3cefe5eb025aeb5cfecea308d4ccfd8c1b1052f60641b0e59d17e354d7583e055f5415c707400786f48e924e6171c3a7e29011279add265615e2719f4d34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c014.TMP
| MD5 | 234cd5cfd615f50a75b9335a48344775 |
| SHA1 | 4a04bc0986197d1cfee2da7505b836533bd5ab78 |
| SHA256 | 45a9ec0de8d4dba1e303817c5fbbb48b77fe41084b771100deacdc48c618f987 |
| SHA512 | 953ee1fd1b83b053e47fd96b9c26d434fc76e2280127584b61ef35b414a42159efc4ad6532fca0d3750aa0c14420c0d455423e9efb054715d64259953a6ccc97 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 820bfd50554290cde1fe0a1199fe06b9 |
| SHA1 | f49f628be9d4cde61656c70181af32d8c7047059 |
| SHA256 | e1a8dd7dd35f06b990ffdbad5f072e9b9158788f649dd11786df9d522a7bb672 |
| SHA512 | 895222d67134e047a6cc8a23c57f7b4f7a534786f3a16f6add6a065853323e6b1a76effc7169b60045e20e6680f4f1dc579266cc97b5d311693a854d9e81cea1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7278defd9f7b03b981fa53e34ae92f9a |
| SHA1 | 3735a2cd7a547d62dc5f745bc10c0952aaf3c3cb |
| SHA256 | 26381627c96341d0662a9000cb27c25c946def3c40c029fd1588576b47c3d04d |
| SHA512 | d9e97de5122df704dd5e75769fe9b0abe296fb199b31fe8dc897490bb83bc4186584d8c17eab232ee0956d1d8137a79c03cdb45ed1f98602e1d3c3616e544d3b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 001206985a717311fdad68a5dde8559d |
| SHA1 | 8e03d251ca4f938646527c6f08c491f8d9b23056 |
| SHA256 | e4ddc5211db66b04bac8229fa11c1f09fa2b3f48bbe8348840848041db427d6d |
| SHA512 | 7d068ebd5e3e0aba7947ef3b0b92f073e5bfbbe5c382ba7e6b343d7d2aa7d0273fbc8b6b83a9bc4a5f60201cb80657a7bc060d960c0c9e6cbfb5f2f6399c9f5a |
C:\Users\Admin\Downloads\Unconfirmed 925370.crdownload
| MD5 | fba93d8d029e85e0cde3759b7903cee2 |
| SHA1 | 525b1aa549188f4565c75ab69e51f927204ca384 |
| SHA256 | 66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764 |
| SHA512 | 7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 896cafdfb9ff451af55f129720f3d57c |
| SHA1 | 9c56f9a8f54ff152954870c9a031fa74bd811058 |
| SHA256 | 1cdafb20d5f532f3a87f0747bd58e71473e44304db13f4633a7512c7f219da3d |
| SHA512 | 9d8a8d0ff49c4673c19efab6a8ed76f79e7dc830ef0c4c53859001066a302dda5026a6e737c233a8edad3f51fe3a8446933416cb154ce5963a96a7f2b8e553c2 |
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
| MD5 | ea7df060b402326b4305241f21f39736 |
| SHA1 | 7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2 |
| SHA256 | e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793 |
| SHA512 | 3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a13db31a59341fd6bf94590687a532b8 |
| SHA1 | 03782cb4eb217ac59b81d9064c2792a0f5324e83 |
| SHA256 | 37a0dd4cc02f5adfeef82b8877e00730a7c4e9e9305f7c2b7aa0c0851d044836 |
| SHA512 | 1671652ec10e257fff54e8471824b97f04c54e25ebcadf1bc8601bcd48bd21a25a214d70dd9fffccd4e5149bde868f15cdc0fe6339baa051c0a6c18fa1ed032a |
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
| MD5 | 66996a076065ebdcdac85ff9637ceae0 |
| SHA1 | 4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce |
| SHA256 | 16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa |
| SHA512 | e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c |
C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat
| MD5 | f80e36cd406022944558d8a099db0fa7 |
| SHA1 | fd7e93ca529ed760ff86278fbfa5ba0496e581ce |
| SHA256 | 7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7 |
| SHA512 | 436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF
| MD5 | e4a499b9e1fe33991dbcfb4e926c8821 |
| SHA1 | 951d4750b05ea6a63951a7667566467d01cb2d42 |
| SHA256 | 49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d |
| SHA512 | a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
| MD5 | 81e5c8596a7e4e98117f5c5143293020 |
| SHA1 | 45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081 |
| SHA256 | 7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004 |
| SHA512 | 05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL
| MD5 | 237e13b95ab37d0141cf0bc585b8db94 |
| SHA1 | 102c6164c21de1f3e0b7d487dd5dc4c5249e0994 |
| SHA256 | d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a |
| SHA512 | 9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL
| MD5 | 9fafb9d0591f2be4c2a846f63d82d301 |
| SHA1 | 1df97aa4f3722b6695eac457e207a76a6b7457be |
| SHA256 | e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d |
| SHA512 | ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP
| MD5 | 466d35e6a22924dd846a043bc7dd94b8 |
| SHA1 | 35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10 |
| SHA256 | e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801 |
| SHA512 | 23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB
| MD5 | f1656b80eaae5e5201dcbfbcd3523691 |
| SHA1 | 6f93d71c210eb59416e31f12e4cc6a0da48de85b |
| SHA256 | 3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2 |
| SHA512 | e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL
| MD5 | 0cbf0f4c9e54d12d34cd1a772ba799e1 |
| SHA1 | 40e55eb54394d17d2d11ca0089b84e97c19634a7 |
| SHA256 | 6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1 |
| SHA512 | bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL
| MD5 | 316999655fef30c52c3854751c663996 |
| SHA1 | a7862202c3b075bdeb91c5e04fe5ff71907dae59 |
| SHA256 | ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0 |
| SHA512 | 5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF
| MD5 | b127d9187c6dbb1b948053c7c9a6811f |
| SHA1 | b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9 |
| SHA256 | bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00 |
| SHA512 | 88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL
| MD5 | b4ac608ebf5a8fdefa2d635e83b7c0e8 |
| SHA1 | d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9 |
| SHA256 | 8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f |
| SHA512 | 2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL
| MD5 | 48c00a7493b28139cbf197ccc8d1f9ed |
| SHA1 | a25243b06d4bb83f66b7cd738e79fccf9a02b33b |
| SHA256 | 905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7 |
| SHA512 | c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL
| MD5 | 4fbbaac42cf2ecb83543f262973d07c0 |
| SHA1 | ab1b302d7cce10443dfc14a2eba528a0431e1718 |
| SHA256 | 6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5 |
| SHA512 | 4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE
| MD5 | 5c91bf20fe3594b81052d131db798575 |
| SHA1 | eab3a7a678528b5b2c60d65b61e475f1b2f45baa |
| SHA256 | e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175 |
| SHA512 | face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL
| MD5 | a334bbf5f5a19b3bdb5b7f1703363981 |
| SHA1 | 6cb50b15c0e7d9401364c0fafeef65774f5d1a2c |
| SHA256 | c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de |
| SHA512 | 1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL
| MD5 | 7c5aefb11e797129c9e90f279fbdf71b |
| SHA1 | cb9d9cbfbebb5aed6810a4e424a295c27520576e |
| SHA256 | 394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed |
| SHA512 | df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a |
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
| MD5 | 3f8f18c9c732151dcdd8e1d8fe655896 |
| SHA1 | 222cc49201aa06313d4d35a62c5d494af49d1a56 |
| SHA256 | 709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331 |
| SHA512 | 398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL
| MD5 | 7210d5407a2d2f52e851604666403024 |
| SHA1 | 242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9 |
| SHA256 | 337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af |
| SHA512 | 1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL
| MD5 | 4be7661c89897eaa9b28dae290c3922f |
| SHA1 | 4c9d25195093fea7c139167f0c5a40e13f3000f2 |
| SHA256 | e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5 |
| SHA512 | 2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf
| MD5 | 0a250bb34cfa851e3dd1804251c93f25 |
| SHA1 | c10e47a593c37dbb7226f65ad490ff65d9c73a34 |
| SHA256 | 85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae |
| SHA512 | 8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll
| MD5 | 1587bf2e99abeeae856f33bf98d3512e |
| SHA1 | aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9 |
| SHA256 | c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0 |
| SHA512 | 43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll
| MD5 | ed98e67fa8cc190aad0757cd620e6b77 |
| SHA1 | 0317b10cdb8ac080ba2919e2c04058f1b6f2f94d |
| SHA256 | e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d |
| SHA512 | ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp
| MD5 | 80d09149ca264c93e7d810aac6411d1d |
| SHA1 | 96e8ddc1d257097991f9cc9aaf38c77add3d6118 |
| SHA256 | 382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42 |
| SHA512 | 8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll
| MD5 | e7cd26405293ee866fefdd715fc8b5e5 |
| SHA1 | 6326412d0ea86add8355c76f09dfc5e7942f9c11 |
| SHA256 | 647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255 |
| SHA512 | 1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll
| MD5 | 497fd4a8f5c4fcdaaac1f761a92a366a |
| SHA1 | 81617006e93f8a171b2c47581c1d67fac463dc93 |
| SHA256 | 91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a |
| SHA512 | 73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf
| MD5 | c3e8aeabd1b692a9a6c5246f8dcaa7c9 |
| SHA1 | 4567ea5044a3cef9cb803210a70866d83535ed31 |
| SHA256 | 38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e |
| SHA512 | f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e |
C:\Windows\msagent\chars\Bonzi.acs
| MD5 | 1fd2907e2c74c9a908e2af5f948006b5 |
| SHA1 | a390e9133bfd0d55ffda07d4714af538b6d50d3d |
| SHA256 | f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95 |
| SHA512 | 8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 58010fe12c8fea855140aa5de8c0433b |
| SHA1 | 5e9642bed281c6ac2f6757de98c22a3a7f9420d3 |
| SHA256 | 03cd3447f8984c0f4a22f4a6324e2cf7de7ab3d78e8fc165541b2ccf7629521f |
| SHA512 | 7edf8782722b93d43535657bae9df9bb6df21ab52c6c5981a9633080cf37b6327830ceb63a3520c27e1d1aad3ba4ff4c7b28ba77cb88a3c8567cc50166dd66eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b1d0cbf1dd8bfc96247922a396358a68 |
| SHA1 | ea31a9d7cb6a4f55e42368cf3ae9bbf186a080a0 |
| SHA256 | 6ef4b01aa54264565ff7541afc5391ba5e6bf1c2b657487d3f4cbf5db44e5b99 |
| SHA512 | d7a4558ee22c017bff8953d6453cb7e0f23741ddaaf82d3c2c543485aa7a43081d8a6dd30dda4dc5cd8f7258731085bb8a0845016f8f33b6b7acf79070aa087a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b4903a4d9bab0d4d6430e9ee83ea0cac |
| SHA1 | 1027d0666462870ee8c0e4e36961d0060d80117f |
| SHA256 | bb930b0e76ef231fdb6b51ff42d2a9d3a4c6e4e49b90ed2bb135f17bcb40f9b9 |
| SHA512 | 441c9530ec0227f9e982544349b0d6ad1048ad51aa37e12c1e9ed0cf1e1353c7880fcdb4bbf67088e93501ab2b7883c5588e9a2796da84acea0b0e3bc302c867 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cd1447cb263c0827c886823dd3b28adf |
| SHA1 | 98b99b37bb127e0a1d0822db79fe5145933ba607 |
| SHA256 | aac1475e8352120550d91dde103463ea8cf146f5e896167a042ed7894d75d4af |
| SHA512 | e4b42c52b4de63dd9be59e66141bbdfcbd8b036e317cda791312ee6c5af0d6606511bae6ec521a80f8abcbf4d935ef848491415cf56a73c1347c3ef23f14b29d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | 96f75329aebfdd16b648289867313a65 |
| SHA1 | b71ad74437c3200edadaf8070cb3d27533da8157 |
| SHA256 | d9f2b298b1ecd5544c0f140bf0eee7543a1b833403e1a74d6f4485fbe5ed5f4f |
| SHA512 | 27926d5497159132178bd83dc6236836109e1a489fa845be27d5249487c6c47193e805bbbc8e5850e5dba2123817a1d4b566674cbaf3d08c33f200fd3acbd840 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | 3e3bd90eccd15dedb3e0f0fef868cd3c |
| SHA1 | c4cbe3416506aa3e2aacff8a55ca783e353d11b5 |
| SHA256 | e50d3bacab934e1a41a2d0bc12fffee0bd9be08e3db315926b1223dafb4ae543 |
| SHA512 | 732352039aa7768f7e9715e2156dba49a705be55998259f7185bdeb4f7cb5a818c864914ab92546ff46df6cecbb8623d325c07d864ae709a6dcf9413b4b983ff |
memory/4440-987-0x0000000004860000-0x0000000004861000-memory.dmp
memory/5240-988-0x000001C043A00000-0x000001C043B00000-memory.dmp
memory/5240-1024-0x000001C044EB0000-0x000001C044ED0000-memory.dmp
memory/5240-1023-0x000001C0447A0000-0x000001C0447C0000-memory.dmp
memory/5240-993-0x000001C0447E0000-0x000001C044800000-memory.dmp
memory/5240-989-0x000001C043A00000-0x000001C043B00000-memory.dmp
memory/5240-1366-0x000001C05A620000-0x000001C05A640000-memory.dmp
memory/5240-1404-0x000001B841E00000-0x000001B84372F000-memory.dmp
memory/2900-1407-0x00000000037C0000-0x00000000037C1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WSEA9K3C\microsoft.windows[1].xml
| MD5 | a10a5315af9b5ec3f167c7c4344ab6c6 |
| SHA1 | 4e80fd779c1f21ecc2803b08447b0aafbf7eb04e |
| SHA256 | 378ae674b3bd38b758bfc3e454467425f2481eef9c527a912088e3b541e31bb0 |
| SHA512 | db214e86079aa7ce528a4846654428a2214f005859c0c5624417574cf299d6262c7046f0d2047484ac168ae155f6743679caf7556adbf96a83b554b7b26f2fed |
memory/1452-1409-0x00000251F76A0000-0x00000251F77A0000-memory.dmp
memory/1452-1432-0x00000251F8BD0000-0x00000251F8BF0000-memory.dmp
memory/1452-1423-0x00000251F87C0000-0x00000251F87E0000-memory.dmp
memory/1452-1410-0x00000251F76A0000-0x00000251F77A0000-memory.dmp
memory/1452-1414-0x00000251F8800000-0x00000251F8820000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
| MD5 | 9757d4322dfc14c6693d850793168525 |
| SHA1 | 7d211744bacad1d08d97745a3d294d6b59e592c1 |
| SHA256 | fe0fbc77fe7f24acdc589f7852da23b9819007442c15cff8a5816252853662da |
| SHA512 | 1670f9c23dd1e5ac8499a039744e4522dc658b0133bb4313d09c7079925a4ba7c97d16570c0801d3390ae097f83e9a9173bc63ce25994c192d5008b46fc702ef |
memory/1452-1853-0x00000249F5C00000-0x00000249F752F000-memory.dmp
memory/4516-1855-0x0000000004940000-0x0000000004941000-memory.dmp
memory/5304-1858-0x000001B2BB090000-0x000001B2BB190000-memory.dmp
memory/5304-1859-0x000001B2BB090000-0x000001B2BB190000-memory.dmp
memory/5304-1893-0x000001B2BD6C0000-0x000001B2BD6E0000-memory.dmp
memory/5304-1873-0x000001B2BD0B0000-0x000001B2BD0D0000-memory.dmp
memory/5304-1862-0x000001B2BD0F0000-0x000001B2BD110000-memory.dmp
memory/5304-1857-0x000001B2BB090000-0x000001B2BB190000-memory.dmp
memory/5304-2018-0x000001AAB9600000-0x000001AABAF2F000-memory.dmp
memory/3960-2020-0x00000000031D0000-0x00000000031D1000-memory.dmp
memory/4832-2024-0x0000011895830000-0x0000011895930000-memory.dmp
memory/4832-2042-0x0000011896D50000-0x0000011896D70000-memory.dmp
memory/4832-2038-0x0000011896940000-0x0000011896960000-memory.dmp
memory/4832-2028-0x0000011896980000-0x00000118969A0000-memory.dmp
memory/4832-2025-0x0000011895830000-0x0000011895930000-memory.dmp
memory/4832-2023-0x0000011895830000-0x0000011895930000-memory.dmp
memory/4832-2181-0x0000011093E00000-0x000001109572F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/5852-2191-0x0000000003310000-0x0000000003311000-memory.dmp
memory/4216-2197-0x0000019F241A0000-0x0000019F241C0000-memory.dmp
memory/4216-2209-0x0000019F24570000-0x0000019F24590000-memory.dmp
memory/4216-2200-0x0000019F24160000-0x0000019F24180000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d4918c8351eb802777f1dc0ef19d1e6f |
| SHA1 | 3fd2b0cc0b786a928f029b623b30848486e8c2ad |
| SHA256 | c87a7a0beeb6e871dc95599fcdc8f72722706092d216b54b31b09021eca3e5c9 |
| SHA512 | b72a0fa4d8517245de42ef3beb148f13c6902c1db68305d9a2b0e3aaf0730bd73fc5ac4df59f5def3878fe12316661dd6cfb677536a0e914417e7a74b1469ca2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f1330e1b2d4a8c622ecd1df356e72155 |
| SHA1 | 1e95a42bce20e4d083bb4048b5dfd6b04db6763f |
| SHA256 | 248f753863fd8710e7ce7d689eb5ec697750581cc86c5409d93e499f80494660 |
| SHA512 | 5a04a0f0e3c7a27f6ed6afafe7d1c8bcf329070e98a7d3d775dce21996d408a1d6a3d2be496073e909dcb2ccbd87e39c3a859dd5d6b780dd0576cbd01fbd33ce |
memory/4216-2482-0x0000019721600000-0x0000019722F2F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0cce2dfcb34afe73889a1a249dc8e67a |
| SHA1 | 30c3008033dc2f77cfea9687e01f0159e3576f04 |
| SHA256 | 5987d89e7e2d8e5da3723258983f233903a8cdb24daf9bffb0963c690fa24346 |
| SHA512 | 601a5cdfc8516e866a6120405c70b930b6932eadac7c2816ac3c0cad5720d35a2752c2a2fb23fcbd6691e5d475742df667ee43f5992090c3741b4c450557b54a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | f3052366d5269a306af97421cbca0a68 |
| SHA1 | 1ccc927d72a6513ad50b5181a022624dc0083f84 |
| SHA256 | 807a5f37e04e3ca2e1afa918f149ca462da9cd9b8fc2033dc98635e26d6f2355 |
| SHA512 | 4b2facdbb2bdcebc6eca60b54a16623386ba8bb53fe5d3fe61746b642e5293451d47cbc960837aa695487dd4ad5cf65355771d650aea6eac4c021873a9410bee |
memory/1328-2510-0x0000000000D80000-0x0000000000D81000-memory.dmp
memory/5996-2513-0x000002EC5D570000-0x000002EC5D670000-memory.dmp
memory/5996-2511-0x000002EC5D570000-0x000002EC5D670000-memory.dmp
memory/5996-2512-0x000002EC5D570000-0x000002EC5D670000-memory.dmp
memory/5996-2528-0x000002EC5EAA0000-0x000002EC5EAC0000-memory.dmp
memory/5996-2525-0x000002EC5E690000-0x000002EC5E6B0000-memory.dmp
memory/5996-2516-0x000002EC5E6D0000-0x000002EC5E6F0000-memory.dmp
memory/5996-2656-0x000002E45BC00000-0x000002E45D52F000-memory.dmp
memory/1192-2661-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
memory/392-2690-0x0000026DA6900000-0x0000026DA6920000-memory.dmp
memory/392-2678-0x0000026DA62E0000-0x0000026DA6300000-memory.dmp
memory/392-2667-0x0000026DA6320000-0x0000026DA6340000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a0315664e496d351e3980be50105f581 |
| SHA1 | d3ec2ac33b3444ab7245fb9cb9d8a47361169464 |
| SHA256 | c5596a4565e48646e288772bca2d136350b46874a5e46e892e76e0767bcc74e2 |
| SHA512 | 1618b894f2b99d4c9de18b0b1e4cafe0db9e5a20648bba0627d16fcea3538d757e525573496b48501059c6d82051b51601dc4621b1b85e76fc2feac5368bb910 |
memory/392-2832-0x00000265A36E0000-0x00000265A500F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8f342c1c710e84f062f0c9903cae35be |
| SHA1 | 820c338ccf1f30e7e86f4f4e327a0ee406c4057a |
| SHA256 | 9efc74aaa329df0b9ad070ec308ce9ebd3bd6a984818de0c369a705438acbdb5 |
| SHA512 | cdbe7ff46f6ea0630b4e84cf353cf4d652ea10b8ea95ed9f5ca86130d4618d7b7251d5df7866c5db04a63ce1fac7e8ed035438bc25054c1d0600744cd842492e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 35bccaeb01e3be6df3a87ec71f893557 |
| SHA1 | 254842e6661aa7d3a489b3b368a427ae7070158a |
| SHA256 | 15298b738864207b3e068578c82ec08da2992529aa118cfdb131c7df84484a6e |
| SHA512 | 4d60ba8986c9f835bdcfe1005a59530be96fe0e05c2c5f44fd5d4967abbd218c699e85318f38daeec788282d8342a601094c3703a5ef6eabd06c0a3e1ff40169 |
memory/2036-2893-0x0000000002A30000-0x0000000002A31000-memory.dmp
memory/2936-2899-0x000002BB94C70000-0x000002BB94C90000-memory.dmp
memory/2936-2895-0x000002BB93C00000-0x000002BB93D00000-memory.dmp
memory/2936-2929-0x000002BB94C30000-0x000002BB94C50000-memory.dmp
memory/2936-2930-0x000002BB95040000-0x000002BB95060000-memory.dmp
memory/2936-3041-0x000002B392000000-0x000002B39392F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c7b4dc99c2e3f9d6a6c9584eedbc2d93 |
| SHA1 | b57066c202b87d2325512e0353a326e86b9dd2e2 |
| SHA256 | 0b2986510f3598ff8c545869131fea35e16b6bd8d789275d0b78c6bb82d404da |
| SHA512 | 482c6063f3795749404bfe2b6502ffe3e0c5471322369cf243a33b4191ca723e2052818926c10ed56ada2063f45f08f4010380b2812f525aeacc8a555b1b135d |
memory/2508-3052-0x00000000045D0000-0x00000000045D1000-memory.dmp
memory/4024-3054-0x000002B5FE700000-0x000002B5FE800000-memory.dmp
memory/4024-3055-0x000002B5FE700000-0x000002B5FE800000-memory.dmp
memory/4024-3059-0x000002B5FF7B0000-0x000002B5FF7D0000-memory.dmp
memory/4024-3073-0x000002B5FF770000-0x000002B5FF790000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 02887ea8bf0e5e48743659d9afae985c |
| SHA1 | 9a696244cf039ffcbe387b4550142d46ef0af9c9 |
| SHA256 | c7964080d9978720e03b43a1687d93876c5fabe7ce055d27249f9f0ef6011498 |
| SHA512 | a8a919278554b6efcd8e1f763841111ff20e17ccd2430e18a4adead85b93c3ebb416ca4ff3995323affd03e6ae291bae25de311cf0ca8c5905c02c0383b6131f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133632860344874154.txt
| MD5 | 0f5e6c082bd8f60409d8670ebe7191a4 |
| SHA1 | fca2669f81acdd9883df0d85c531fd22c7e3a281 |
| SHA256 | e59485ff3e0744735d163e19d99f6c35733735c62f12f2673c28336db616e8e9 |
| SHA512 | 5433c400d5b5e4041bba894b7123ed47f38e364796cf9e96964262b829d10a3a2f0b5e4eca3784e0ff22d31e1c07bda2a1194115078766fc6dd6520fefa14e1d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.quora.com_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\76ef9e5953a1ba4578548bb32235240a9f0e0ca2\index.txt
| MD5 | 38620960bb29ab002be8c52e9e0f7ab4 |
| SHA1 | 628f97540c02dea7fd0e2afc08513860bb76e2ce |
| SHA256 | 1e2fdf87f77fa8ed59d015db106984060dc96d832fe5844780abf1ca88c1a121 |
| SHA512 | 10823df80493c7ae4ada696d4c5cd103d3bae1810e8a32cfe0a9c20b2c7d9b9bc7242046e66408f26d6789b0de0b2a8bf6807286aa5b18be0808b2ac57605767 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\76ef9e5953a1ba4578548bb32235240a9f0e0ca2\index.txt
| MD5 | 3ac5e090a3eaea91a632cd48b329983a |
| SHA1 | acf300405d1522b02b9d105749006fe53857f69b |
| SHA256 | 1ce697be307e4536641363f47a143053e2ca4b488f841223bb507f14f337eb7b |
| SHA512 | ca0e7fc842edd66a2467a6f22b4bc9d7ce5594c5867c75c65996f0a46db7a0b24d5b0ccc53aa3f4cf9fb061ed5e058aa06638ac24cc1b4836d7c6304e73aea12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\76ef9e5953a1ba4578548bb32235240a9f0e0ca2\index.txt~RFe59e536.TMP
| MD5 | d41c6dca2a45836baea760b3db1b974d |
| SHA1 | 7d3e02082701100bf06090ab1dfb3d6dd7a441f1 |
| SHA256 | 2af3df91ab5d2ce627e5355bb82e23a02c6fd65c1f405984b1eb7ebbd3355b6d |
| SHA512 | 906a85bc927275093ab35146e50182962bc975ccf05bae53dc3f349155540fc5a2b5885f44e784ff8f2391ad9ab1541e9ab4b41db01b3482f147e82415f34247 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4d582e71d4441db5b318495c0a5523cf |
| SHA1 | 0cac1067cc120b1728418f2f745089851c79d73f |
| SHA256 | 07c25bbf1d1dbb7f3f2093307b3bd6c8bfcf35a601c433f4cc8ce14485fec7c1 |
| SHA512 | a47998e7dba4b057d5a7a40127b517dd1e66725361bbec57a87e378e6151d463bcf3c8e53d7d53b33a729dd8b56c2da8c62a6c7b458418d9dd7778c23c313584 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | ade1f8a6cbd9b25cf8f3cbe3908c7480 |
| SHA1 | d550ca81dfcbeca3ca1bc19c06d25469c2c95741 |
| SHA256 | 288f4ccf51f85f97bcb730e895ec61e66fc2a9c58e3aad2ddf3f2a6bf97707a2 |
| SHA512 | 4d86b9affa44790c99b57a8dfc0c72c435c3435521402497607bde1d971b963c5f286f7450bc6d4813caf5b80b8fbe6e04a43d5a931fc600bef8467838109eb5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 04c3c4b3c8ccd501daf08223687c23d5 |
| SHA1 | f694ae21357685df06d6e0184f7c63d1bf035bc4 |
| SHA256 | b67241657e2ca597c013ea887701ac8cf5ee6f6c9399b0a2b354260e3d4d7da4 |
| SHA512 | f44632b13d0ff089e66de5ff4a92271f9a20244949d4f4bac43ccc038e8ac8402c6c9873dc1dad2e6bbe718581afe15a7bb81292269c9086a13b24c737c2c91d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | da625b6a8db6ef4b5e9662e10dbf0590 |
| SHA1 | df4ed632791555e190a83896ff709eeff0d68c26 |
| SHA256 | 40a182c4938369f1aab96b862d1c527b6e1a11d13b8c7c3be50226ea501eb34b |
| SHA512 | 96d42cbbbc24c7af6926018e8eb849443507f339df0ed25b48e7c997ffea58a37bac00bd14265789be2d426102e6e1baa3a913a7e99c96e0833e317d468ae537 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 53dc82973e18352f896595010288efb8 |
| SHA1 | 3fc1a4e9d47c4a4e92fddbb5998ddb5e22c83ccb |
| SHA256 | dace968d579c7f754d79d979c3371df4ebd56360c8d4112ce83e23275d8759bf |
| SHA512 | fced0d901d9966222aa12c94448d36333d763a6815afd5dad17ac86c364c483c1613f062f7c58821e05df19954bd97dcac7f5c0eede402e064de2fef88138daa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0cb98ee76c31d90d2a03d423cd222a9a |
| SHA1 | d9c5981c0beb39e3c2427cd2a181b288e9c7dc1a |
| SHA256 | b46190eaa4e05a32a170b27c4184db804136aacf15918fd67504b5f0980b2bf6 |
| SHA512 | 6e8d39bb86d9a836fb3f7577feb01dcca5d96b8d8b3ced7f47d4527dfccb346b6a484b9f3e70ff9cc137978eab0baec84b87aba7a8b66d368305dfb4ee4d3a92 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | b8f54c4573fda94f762cf225b4904898 |
| SHA1 | 11ff0785176ccdf0315739298cfbfe7c3fd31769 |
| SHA256 | d062566cc6f3d1a6a214cab729b1cbcdd49f1c3218a8b3a723e9b50798eae800 |
| SHA512 | 843011363b6352ce3c3915ae422d3c54bd973d2080e8fb9bed87a7f57950282b13474561cc5dc1da9b068d058b8ccc19c6b5a0e46dc727348b91f0f8be1a6e47 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 4520d3061289d91058456fd2c0bb48c1 |
| SHA1 | 78a41cfbeba4bb8aa5b115716dcaae9f02c317ec |
| SHA256 | 285580e585308be99ded3c165098caca1fd00a1a48ed7b3adcdd8b83f186f3f7 |
| SHA512 | 3161861465f70346d59af1d7872bec5fcb03a33b8c5f9cdf3406f78a998f493e61992c1c9edf6c41c2e00e5df4a2c6dbe9ed5942f8c636f3192becef4cd82261 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | efdf336c3d3a1adb92b2ad84b9e0ddf8 |
| SHA1 | d12684bf46d8efdc7fe65d72974a64f8cfc83aae |
| SHA256 | a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc |
| SHA512 | d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\90169588-24c6-49ba-a719-937c240693ce.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d97db1f20840e3aeb0c23ff4cae5df4d |
| SHA1 | 58a4746f8a8abedadfd60e44b83dc8ad76df5206 |
| SHA256 | 7d21fd6b903179d22e7bd8386339368b572c65d18e93b9db019d460b950850ac |
| SHA512 | 7ebb1fc61a42a3794158b75f2477f363a34c74b10042221085c572b896844daefc28bf870715ee526d492617668c400157254b36f9045db46de28eee5a23127c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2ad11e9dcffc7e746629338a096d8e0a |
| SHA1 | 8c7be5600cf096a06d7e7c9cc292d7b856f02dd3 |
| SHA256 | 7c0a1e453d3b808337a5cdc56b696547999a1c225f462098de47acee692bdf2e |
| SHA512 | 4d59887becaeb7739711cecdafd130c634aae3ca02253d5d37f500432101e26844e29715e47742a16cf0c9ead90ca9a805af7b37937bd02228380fdbb5809d39 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0e3c4315b57e3594596642720ada3501 |
| SHA1 | 7c49453acd96deb0a9c50dbe2836594d41eb551f |
| SHA256 | c05f0580be80eca698e389f2517d4adf4a6d011dfa56f229cdacd76df67ad0a3 |
| SHA512 | e2d7c1a84f806ae7337193a0595e51b9d5c496f4d8b02cd79c003efec7972638ef3793967a64bfec6b082e6b1de61e5009bff2b5b2f5ac8dbb47ed76077da906 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | b6f48def1ad0dc727f479ce8ffec8a6b |
| SHA1 | 488a3d7c23f20d7c90d9cd3010d31836d67b4028 |
| SHA256 | 88b9c140ca5cdbc682401e0cd009ef606ef17510c596d69c12b629f720543aec |
| SHA512 | ff657c31fa12c36894ac6002bbc33c3263739b9727aa255687ff9299087d47b2a6b390cd0bb6ce588b992c245e497f5e9178de97bec3c72a2d696160dd9f3a9a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe63ec0b.TMP
| MD5 | cdc25e6ed8c8a3501542b94faa87b508 |
| SHA1 | 364ade612b501c5cdc4559598308ea3a40ad8698 |
| SHA256 | a66d03a15fd99b9436f53d4f55490f32e3f3b3446e2f4e9b3dc067eec625c4e7 |
| SHA512 | 48243dd7666fa609a9420f347a882429ab63e819ea63ca0162490372cc31bc36272f102d17e957412c749fc633a630bb34728bcf62591babf3b143fecae6a179 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8fdb602066fe4d64b0e2956f8b6b0520 |
| SHA1 | 581f3f36bd5c7e72244d8da940910f6aac9002f6 |
| SHA256 | 70c95033c2209af86b1c946f0fcea7614c853ab3628178cf87379070d0c06dc1 |
| SHA512 | f32f4805528d8e06411882c134e7e7582f4c7598c7a7f92812839674edf1c9c99e27a95f6d4dcb42de441c2ae3b4e916db874e00fbfb00d76afb18197af58786 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 52514c95c537c0fd5d44c05d61f4e54a |
| SHA1 | e3d04521569d912b5e7d8ddd8d27cacc78ef438a |
| SHA256 | d0bf8f96cfdf0fda92faabc990d25193389bea812ad5fee182e37649d915bf73 |
| SHA512 | cb129ac43277cca653f840730924c78f43851e5be424852b4d703cf8d61294970a722049d2491a4b4c3a737d8d3d19c8081b66012ff28f5cfbc760faa72ff098 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5ac02154ad832b8d373e3dea47f94997 |
| SHA1 | c610f9f7469faeb888dfb65dd215c54a33a7909d |
| SHA256 | 74dd48ad6d2f56e1b21099ee3ce1653a9af3336b178161051fbd57a1fd263d30 |
| SHA512 | 720ad298609804f3614f896ef34b936092a95817b6e369ac0fe0b39d551476451e79cba6d81c7a540ca78807d6ea4b2b38354be9a30f50264ff86f03b91fbcea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | aec89792cac5e58073c43f71a4776fda |
| SHA1 | 5b5bc920cc00a596efe9bc71bcb1f4d5dc1cefc9 |
| SHA256 | 58e2cdd78f4e31d037010203b511dbf8733c0706f6c5a6fe3d904e5ac2dc701b |
| SHA512 | 56709f8c46d2185adf5433849b6892bbab1473b7a1d052fad203b6590b5298f4be35296731f04a8350eaa6af6f6f0eeae77a83b1341acd4d60aacb905ec3491b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 4394afe4b213676d5f01de50b2fbbf9f |
| SHA1 | 9ab54838bb39c6fb3fd981a90384078e0aa4c82b |
| SHA256 | 7412fea61d81a081c0adfa74f8ad2c68ada731f3bcb3cfc1ecbdb495eb2ed912 |
| SHA512 | 98665530cd7f4824e0217d9cd5c363c023606335097bf09c57d603425bb7032e97b21ba2eb3596094aa6b515a4cfb19c0cbcd5741088e41f5eeff057078304d6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 12d6d4ab8caee9ebc9ad20817214b2c1 |
| SHA1 | f5bfeb16f2ce519f8f4f624040f38a62ecd75c85 |
| SHA256 | 333e2bfabc9498d4628071414b48e1e8590e30527d5021407b4e1c4c10003d7c |
| SHA512 | ab5fde1c3ec9f6bb62a19c2790f458174a628b69f4ad23c862db487e633e45f9bc97257720923c5cc5a096b8f86f6db437e220db897a521b707eb27cf2a9929a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 955be70a6a9d39b7a55f36568ccb66a4 |
| SHA1 | a6d7688d7480469b0a5cfc58004ed20dbdbface4 |
| SHA256 | fc2f9400eae4b246ff0fd501014c85747d1531083a8bae4cf9f4dc91bab84569 |
| SHA512 | ca1b8530f921893f040c091b9e58b2546af817cc8ea24ff42b815ad4fce093f132ce0d43ab9ca8de18c241209c27be22029b913902994d1f64144b4dcc2ef8f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d223dac9b1fc9d4e802d65ab349dce23 |
| SHA1 | 4b29ff90882ae7fca2a185b817c20e89703eb0d2 |
| SHA256 | 6225d7a77aca527e1a854abd4d35e5732785f5987910f63039aaa475986c1543 |
| SHA512 | 8b02f32b051feb9a1f8a7c0f026a1492a8001777a64552ab57c996afc33499a820f3d4494f364f3296d9760a9b40010ac48758018acb292ca23c7777ac7c6a4b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | dfeaa2cf978ce5246671c005343b7ec9 |
| SHA1 | b0b3bc1f4c3cbbf0897c0219564f0467299f16a9 |
| SHA256 | 55ac6edf29d523c814619ae30e839409153f3ff2587d0ac2ad9b5c6326a546a1 |
| SHA512 | 804a982a4989f06edd1d43fc19ec5d03ecc3d490bb76d1c5fefafdeaf91ffa3557a35cc0d278b2bb0e8f85f6fb61e2ff34bf9d73c8cc03a9eed841ef77d2adaf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 19ef529545846738e8bfde0e68ce8caf |
| SHA1 | 7242ab83189e7bf3b847942460c9e30cf9508225 |
| SHA256 | e41bb415388588cd3a9bcce028adf880d30ecb51213e56b461caeed562027114 |
| SHA512 | 4dd7f8ef8c5b5221f17f91af29f1c69ecf172f7d8f6ef52cae223060798b150673e5fbb7e270fd4452ba5b86b4d22ea1531f4bc80a4f86b9f011e2dd8afb252f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 763783eea03bb0eb9f50917a529fc386 |
| SHA1 | 7bf8e0359744d4ccb75f125681f9c6ce68bbca5a |
| SHA256 | 988e9a54718727a9e265d9fecf4e49be76d7e2facdce8121f705a1af1c22d988 |
| SHA512 | 12745fb057cbe3b9744b0589bc5d7f56ef991404afde10995c4794e822188a6849995147e471cf6eb46f1b228718c581174bc1e25e92cb7a933a0d6f7ae7970e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1f5b01b5af6d0457486c9c866e730b99 |
| SHA1 | 5e5ab50fae5e872bde804c27a10e2ccebf821df8 |
| SHA256 | 5863e23d9696e21714eba3743d263fc486ba5714b631e78908462d4980c7aae8 |
| SHA512 | a3da669272f418bd3b3212f23c5945bde791249294d46d0adf1a3208503e9490b3909024b958ad44806088d1398766b5874fdfb32b9a4aec7b84f8675a289dc3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005e
| MD5 | 91ac24c412b02e7cf7f01b1a74f458b9 |
| SHA1 | 109a5cfd6850c8f2305891bfe96bc66628281886 |
| SHA256 | e0b74fc4931136feddd531e009912ffaa7b20a2ced45a5e523bfbe7b5aa759cd |
| SHA512 | e290068e60c99669bed7c2b006348ea48781896d46738615403f231b142053c66a39a6379522376516194111d087756defff14800d3e48689954c4229a7f4d5a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a
| MD5 | 654b495cf8877c0a6c9423793216dd88 |
| SHA1 | 17526245d961301ad40c738f6b6d16a2afe6ac8a |
| SHA256 | e6e0c443422b16eb462ce281ca745a2e8cd58d266c10bec39a12dbd45b92af69 |
| SHA512 | 0c319332fa505d54972ec8046e209f109c52dde42ae303d862856e2107e7f16ed5332375acc5a9c1272d940dc7be3576e57b833e3746ffbbbf9b8c71ec3482f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003b
| MD5 | 443826e43ae39d6b6d996ec061398f84 |
| SHA1 | a996ce34b3bac4eb02a8c113b1105de8f17f0868 |
| SHA256 | 87fb32803b0681980e6fcf71b9d20c00239b622beffa02de6184e8b15d7b9b51 |
| SHA512 | 6875d9dfaa2d4b0fcced2350ac95aac477e9289ffc4e192f8a3d20eda57020d31d6feff74b5f4978f1e5f6373b13d81fd041ad95978c1a20c867710bb1acd477 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000039
| MD5 | 3dda883b89b1f31dd1e8e0be2d4250e9 |
| SHA1 | ff69000e8307afcb2b4db7d6117b47975f9de06a |
| SHA256 | e60268695e6c66a62ad318850e45954bb22d21f2ae62fe9f0c5490dcb1e69f9b |
| SHA512 | 25176c5acc9cf658129508ccc1b7fc8e93777cc59a404caf06a0e0eeb7c10b5276923aa51d56a99ebfd45d9f05b16f598794fb31ea0aa39565770b3c3b8c8c43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003c
| MD5 | 296107fd9e4b08da2a5eb5381e62e59c |
| SHA1 | 0fab647f77db64c6284dd6335f6f01696217fb88 |
| SHA256 | 9a75f06abaf3c4db9cb4110d32c18ba80356efafd79e6f6255aefc31054ff133 |
| SHA512 | 519f5c12f414e6321e63c5c2992b4eb89131334543310513ffefcb9b4cfdc9cbf9adc48854dd40daa8475b238ec4a1b1d6f31d666e5edb773f433582777bea43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2b6ac0e2c0ddd800f98e16f948f017c7 |
| SHA1 | d83fb0f28ebf030ef12bd4ecda9513725bef2d96 |
| SHA256 | 80bbc6a0f678a1dbacf22334c49d695ecb4fc952486e7781ca02abf5b113ca61 |
| SHA512 | bf49e0df43dae54249caf7765ab3180be1ac6870abe0658af8a4f3e9ae96e18f0c78973c71792958e2ce5bfee752807ce87cc93db3db8684d7d11e56c6c3b89c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003d
| MD5 | 20adea22eec53811cc6bb3e6fb9648a1 |
| SHA1 | 89ccfb989609bb343bff0f260fbc28e78b0ae16a |
| SHA256 | d1b7f4208210049da4739648765e40bb8d8f0a7fd4e942df1d736e803739f5ea |
| SHA512 | 24342b4e909b88faa4b028aba8428bf4b3fac6203a61e74890a4c3439817444826c6d4785f0cef484b73c6116a9913c2980be3c59abaf2b3711942e1e53e6b55 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | f06b318140dacba6113d1045d9802209 |
| SHA1 | 8bafea88c60d91a12799087418fd8b6696fa10d1 |
| SHA256 | 3a514872b4c09858f9092b71c05fa4e7f54ed714b99f8774b399b814341fdb56 |
| SHA512 | a6e3aace7b1d9a0bad621ebdcacf42a011bc6e0a7485d5eb1a85b02568e49e2602480a575fa542b015d77a94ff37fa502f42550116ef52ee8d51284685ce21e9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9781c39b-2765-4701-85a1-81ea9560a901\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000067
| MD5 | 0f3de113dc536643a187f641efae47f4 |
| SHA1 | 729e48891d13fb7581697f5fee8175f60519615e |
| SHA256 | 9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8 |
| SHA512 | 8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ad8d332025d91867b573d082aa6255c1 |
| SHA1 | 38ce15fb5736e37c53cd42344e0a4644b5af14f6 |
| SHA256 | d31eeffd38d229582632d0fac55900bdabc07a8fa93fe83e8c8e38aaa97f6420 |
| SHA512 | 8509a1c8da89cf1f34f316d52f8b4e417559bf0460b8db5ea970e850bcba73451cb530c474d81588c0fd552f8bc8a1e6e01820ac24127cfe06d49cac184a06d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cd2a2e085cd2cdf5011b634e4dc63072 |
| SHA1 | 5b68b1ca8350e541f9ad935d84518adaefbb27cf |
| SHA256 | 3ad9cd370449089c38bd578838c1aa0a6117cc3803f92c740c1df18342c7cd2d |
| SHA512 | dd50eb115ba592dcdf3f2195527f8b1e5a5124ed672bddc4bb6999783f773a4df874a791a528221070a7d0c4a1cda18aba4cf0b860aa16f80001c640e9020744 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d451e374-70b3-4422-b978-a309704bbc1a.tmp
| MD5 | a6781b392d6ef3b2be936b0a9488c32c |
| SHA1 | b3c4043d988ead27f7fc6c1793f096c3b5ef7fa3 |
| SHA256 | e147050a2631d2375d412d14bb6367a7e41cf08c28fe4e64038672f59b6ef942 |
| SHA512 | 3c088c2172ca84ac2f44f3cd9c85a5a3854b1fa20e0c061c1f5d394f1b5af413caf5aa0ff0e6e4441d55644375371ebe26471044de4c3e5d08c9d95b7a0d881b |
C:\Users\Admin\Downloads\000.exe
| MD5 | d5671758956b39e048680b6a8275e96a |
| SHA1 | 33c341130bf9c93311001a6284692c86fec200ef |
| SHA256 | 4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47 |
| SHA512 | 972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7 |
memory/5480-6454-0x0000000000FD0000-0x000000000167E000-memory.dmp
memory/5480-6455-0x00000000068D0000-0x0000000006E74000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/5480-6472-0x000000000CC60000-0x000000000CC98000-memory.dmp
memory/5480-6473-0x000000000CC30000-0x000000000CC3E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 4433eb70ac3775838bcb5dee85687883 |
| SHA1 | 732d8cc92595c651d01a47c9dd43ba9c581e79dd |
| SHA256 | e91af4b23905f0b796868bc7d04a6c8809959f2f42580924de33c8b68832b4e2 |
| SHA512 | 2ddda50105a36598ef93d4c7db7fca47557cf614804fdf367c069aa739b435ec7f1fbe542b8fa186a8c6db8cbc7f399b8e2e0d77dd52a1c53ff9b42ff6628352 |
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
| MD5 | 9037ebf0a18a1c17537832bc73739109 |
| SHA1 | 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60 |
| SHA256 | 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48 |
| SHA512 | 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4c03252048cab9c191abf81f83cdb7d7 |
| SHA1 | 92820bcfc6df984ad3ff7175c00def93ac15b9ee |
| SHA256 | 940bf289c96e9b1cfcabd4cb9c69e0502698f26859aa73957b7ded04c0a76a8d |
| SHA512 | 9a105e704dbe15239771e7876db0f4d81e21cdcefcc4a8308c51cfbfa5ac8a7793ded39fbb53f900b7c0b9f0e921006d25bff249593337fd034a9aa79c623c95 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | b1de36527c2bd955d59601c76305054c |
| SHA1 | b2903124ae34b2ac44e8401e9b75db5f8c214307 |
| SHA256 | 7e2a18099028cdb6b44c5166b4d98f6e83ab21092225e1fc11c26acebaf91e49 |
| SHA512 | 604d6e4a1cc94fbbcddadd4415063793aa5c956c72170dd406d11d0441d08ea55b136178ac0a1e382762c0602724ec59d8b91f32d6b75742a115b9b1fc88a81e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 21409a061248b0d193ce37372eb21525 |
| SHA1 | f0b8182bff538009963daeb8d90842d9f3868608 |
| SHA256 | 7c9f11b3b6a073e2cd5169a0821c1a660e7afed216bfc4d405e75992b03d1606 |
| SHA512 | ffb07ba6bb9e297967641f7eabbe39dba2fd98ce676f0ce6877b9f2c3ac4dac12186224a75004051ee6f8ce970d0948f3820e2e74454c4a47b0b0aa766804078 |