Analysis
-
max time kernel
1330s -
max time network
1535s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-08-2024 14:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://bonzi.link
Resource
win7-20240704-en
Errors
General
-
Target
http://bonzi.link
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
INSTALLER.exeINSTALLER.exeMSAGENT.EXEtv_enua.exedescription ioc process Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Active Setup\Installed Components Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components MSAGENT.EXE Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components tv_enua.exe -
Downloads MZ/PE file
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 5068 2672 icacls.exe 4936 takeown.exe 2464 takeown.exe 1792 icacls.exe 5112 4204 icacls.exe 4692 takeown.exe 2264 3816 takeown.exe 2660 takeown.exe 5096 icacls.exe 3336 takeown.exe 3876 icacls.exe 928 takeown.exe 2852 takeown.exe 2224 takeown.exe 2388 2572 icacls.exe 4280 takeown.exe 4140 icacls.exe 4964 takeown.exe 2536 icacls.exe 4568 takeown.exe 4416 icacls.exe 4900 takeown.exe 3216 icacls.exe 3784 icacls.exe 3024 icacls.exe 1588 2140 takeown.exe 4372 icacls.exe 4776 icacls.exe 756 takeown.exe 2408 icacls.exe 2612 icacls.exe 2932 icacls.exe 2692 takeown.exe 4656 4872 icacls.exe 3660 icacls.exe 3516 icacls.exe 3752 takeown.exe 2884 takeown.exe 2948 takeown.exe 2552 icacls.exe 1544 icacls.exe 2648 takeown.exe 5100 640 3896 icacls.exe 3380 icacls.exe 3908 icacls.exe 4684 icacls.exe 4988 takeown.exe 2400 takeown.exe 4352 1120 takeown.exe 5024 takeown.exe 3656 icacls.exe 4604 2828 takeown.exe 3564 icacls.exe 4720 takeown.exe -
Executes dropped EXE 19 IoCs
Processes:
BonziBuddy432.exeMSAGENT.EXEtv_enua.exeAgentSvr.exeBonziBDY_4.EXEAgentSvr.exeBonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exeBonziBDY_4.EXEpid process 3284 BonziBuddy432.exe 2512 MSAGENT.EXE 3408 tv_enua.exe 2568 AgentSvr.exe 3560 BonziBDY_4.EXE 3864 AgentSvr.exe 2856 Bonzify.exe 5008 INSTALLER.exe 3248 AgentSvr.exe 2448 INSTALLER.exe 2524 AgentSvr.exe 1376 BonziBDY_4.EXE 3140 840 3244 4420 2860 5008 3296 -
Loads dropped DLL 64 IoCs
Processes:
BonziBuddy432.execmd.exetv_enua.exeMSAGENT.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exeBonziBDY_4.EXEAgentSvr.exeBonzify.exeINSTALLER.exepid process 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3284 BonziBuddy432.exe 3080 cmd.exe 3080 cmd.exe 3080 cmd.exe 3080 cmd.exe 3408 tv_enua.exe 2512 MSAGENT.EXE 2512 MSAGENT.EXE 3408 tv_enua.exe 2512 MSAGENT.EXE 3408 tv_enua.exe 2512 MSAGENT.EXE 2456 regsvr32.exe 1240 regsvr32.exe 2904 regsvr32.exe 1720 regsvr32.exe 2560 regsvr32.exe 628 regsvr32.exe 1108 regsvr32.exe 2512 MSAGENT.EXE 2512 MSAGENT.EXE 2568 AgentSvr.exe 2568 AgentSvr.exe 2568 AgentSvr.exe 3408 tv_enua.exe 2936 regsvr32.exe 2936 regsvr32.exe 2636 regsvr32.exe 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3864 AgentSvr.exe 3864 AgentSvr.exe 3864 AgentSvr.exe 3864 AgentSvr.exe 3864 AgentSvr.exe 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 2856 Bonzify.exe 5008 INSTALLER.exe 5008 INSTALLER.exe 5008 INSTALLER.exe 5008 INSTALLER.exe 5008 INSTALLER.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 4120 takeown.exe 1480 icacls.exe 1240 takeown.exe 4692 takeown.exe 4364 takeown.exe 1776 takeown.exe 268 takeown.exe 4668 takeown.exe 4140 takeown.exe 4468 icacls.exe 2252 takeown.exe 3836 4580 5080 takeown.exe 4516 takeown.exe 4660 takeown.exe 3656 icacls.exe 1668 icacls.exe 5068 1216 icacls.exe 4640 icacls.exe 4896 icacls.exe 4560 icacls.exe 4184 takeown.exe 4016 takeown.exe 2780 icacls.exe 4984 4088 icacls.exe 4220 takeown.exe 4232 icacls.exe 4256 icacls.exe 3356 takeown.exe 556 icacls.exe 4024 icacls.exe 2648 takeown.exe 3512 icacls.exe 3924 4788 icacls.exe 2124 icacls.exe 4872 icacls.exe 4424 takeown.exe 4924 icacls.exe 2272 4564 4516 takeown.exe 2024 takeown.exe 2776 4992 icacls.exe 4780 takeown.exe 1544 icacls.exe 2000 icacls.exe 4840 5024 takeown.exe 2408 icacls.exe 2148 takeown.exe 4532 4040 takeown.exe 2464 takeown.exe 5008 takeown.exe 1680 3656 3912 2932 icacls.exe 2248 takeown.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tv_enua.exeINSTALLER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" tv_enua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" INSTALLER.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar = "C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun" -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini File created F:\pee\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
description ioc process File opened (read-only) \??\K: File opened (read-only) \??\M: File opened (read-only) \??\S: File opened (read-only) \??\E: File opened (read-only) \??\G: File opened (read-only) \??\I: File opened (read-only) \??\L: File opened (read-only) \??\O: File opened (read-only) \??\P: File opened (read-only) \??\X: File opened (read-only) \??\Y: File opened (read-only) \??\A: File opened (read-only) \??\H: File opened (read-only) \??\F: File opened (read-only) \??\R: File opened (read-only) \??\T: File opened (read-only) \??\U: File opened (read-only) \??\V: File opened (read-only) \??\N: File opened (read-only) \??\Q: File opened (read-only) \??\W: File opened (read-only) \??\Z: File opened (read-only) \??\B: File opened (read-only) \??\J: -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 1248 raw.githubusercontent.com 1249 raw.githubusercontent.com 1246 raw.githubusercontent.com 1247 raw.githubusercontent.com -
Drops file in System32 directory 3 IoCs
Processes:
tv_enua.exedescription ioc process File opened for modification C:\Windows\SysWOW64\SETD9FF.tmp tv_enua.exe File created C:\Windows\SysWOW64\SETD9FF.tmp tv_enua.exe File opened for modification C:\Windows\SysWOW64\msvcp50.dll tv_enua.exe -
Drops file in Program Files directory 64 IoCs
Processes:
BonziBuddy432.exeBonziBDY_4.EXEdescription ioc process File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb016.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\sp001.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page4.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp003.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\t3.nbd BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page6.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page0.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page15.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\AUTPRX32.DLL BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\book BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page9.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\BBReader.EXE BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\J001.nbd-SR BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page2.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page5.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Apps.nbd BonziBDY_4.EXE File opened for modification C:\Program Files (x86)\BonziBuddy432\MSAGENTS\Peedy.acs BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page14.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page2.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\book BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page6.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page16.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page4.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp002.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg BonziBuddy432.exe File created C:\Program Files (x86)\BonziBuddy432\Uninstall.ini BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb007.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page13.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page0.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp001.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page3.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page1.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Reg.nbd BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb005.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp005.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\MSINET.OCX BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Snd2.wav BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb013.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\favicon.ico File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page5.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb014.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page13.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page12.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page6.jpg BonziBuddy432.exe File created C:\Program Files (x86)\BonziBuddy432\Reg.nbd BonziBDY_4.EXE File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page7.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\ODKOB32.DLL BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb012.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page16.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb011.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page5.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page11.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp006.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Options\bonzibuddys.URL BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page1.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page14.jpg BonziBuddy432.exe File created C:\Program Files (x86)\BonziBuddy432\Reg.nbd.temp BonziBDY_4.EXE File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page3.jpg BonziBuddy432.exe -
Drops file in Windows directory 64 IoCs
Processes:
MSAGENT.EXEINSTALLER.exeINSTALLER.exeBonziBuddy432.exetv_enua.exeBonzify.exedescription ioc process File opened for modification C:\Windows\msagent\SETD59B.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET6C5A.tmp INSTALLER.exe File created C:\Windows\msagent\SET6C5C.tmp INSTALLER.exe File created C:\Windows\msagent\SETD59A.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgtCtl15.tlb MSAGENT.EXE File created C:\Windows\msagent\SET6C5E.tmp INSTALLER.exe File opened for modification C:\Windows\help\Agt0409.hlp INSTALLER.exe File opened for modification C:\Windows\INF\tv_enua.inf INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSvr.exe INSTALLER.exe File created C:\Windows\msagent\SET6C71.tmp INSTALLER.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe File opened for modification C:\Windows\msagent\chars\Bonzi.acs BonziBuddy432.exe File opened for modification C:\Windows\msagent\AgentMPx.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\intl\SETD5C1.tmp MSAGENT.EXE File opened for modification C:\Windows\lhsp\tv\tvenuax.dll tv_enua.exe File created C:\Windows\fonts\SETD9EE.tmp tv_enua.exe File created C:\Windows\msagent\chars\Bonzi.acs Bonzify.exe File opened for modification C:\Windows\msagent\AgentCtl.dll MSAGENT.EXE File created C:\Windows\help\SETD5C0.tmp MSAGENT.EXE File opened for modification C:\Windows\lhsp\help\SETD9DD.tmp tv_enua.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll INSTALLER.exe File created C:\Windows\lhsp\tv\SETD9DC.tmp tv_enua.exe File opened for modification C:\Windows\msagent\AgentPsh.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SET6C85.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDPv.dll MSAGENT.EXE File opened for modification C:\Windows\lhsp\tv\tv_enua.dll tv_enua.exe File opened for modification C:\Windows\msagent\SET6C73.tmp INSTALLER.exe File created C:\Windows\msagent\SETD5AD.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\setupapi.app.log INSTALLER.exe File opened for modification C:\Windows\fonts\andmoipa.ttf INSTALLER.exe File created C:\Windows\msagent\SETD59B.tmp MSAGENT.EXE File created C:\Windows\msagent\SETD5AC.tmp MSAGENT.EXE File created C:\Windows\msagent\SETD5AE.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\SET6C72.tmp INSTALLER.exe File opened for modification C:\Windows\help\SET6C74.tmp INSTALLER.exe File created C:\Windows\msagent\SETD5BF.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET6C5E.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET6C6F.tmp INSTALLER.exe File created C:\Windows\msagent\SET6C85.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETD5AC.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\agtinst.inf MSAGENT.EXE File opened for modification C:\Windows\fonts\SETD9EE.tmp tv_enua.exe File opened for modification C:\Windows\INF\tv_enua.inf tv_enua.exe File opened for modification C:\Windows\msagent\SET6C5D.tmp INSTALLER.exe File created C:\Windows\lhsp\tv\SET6DC1.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSvr.exe MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentAnm.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentPsh.dll MSAGENT.EXE File created C:\Windows\msagent\SETD5C2.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\setupapi.app.log INSTALLER.exe File created C:\Windows\msagent\intl\SETD5C1.tmp MSAGENT.EXE File created C:\Windows\msagent\SET6C6F.tmp INSTALLER.exe File created C:\Windows\lhsp\help\SET6DD2.tmp INSTALLER.exe File opened for modification C:\Windows\fonts\SET6DD3.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSR.dll MSAGENT.EXE File created C:\Windows\INF\SETD9FE.tmp tv_enua.exe File opened for modification C:\Windows\msagent\SET6C5C.tmp INSTALLER.exe File opened for modification C:\Windows\help\SETD5C0.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\setupapi.app.log tv_enua.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp tv_enua.exe File opened for modification C:\Windows\INF\SET6DE4.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETD5BF.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\mslwvtts.dll MSAGENT.EXE File created C:\Windows\msagent\SET6C5A.tmp INSTALLER.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
icacls.exeicacls.execmd.execmd.exeicacls.exeicacls.exeicacls.execmd.exeregsvr32.exetakeown.exeicacls.execmd.execmd.exeicacls.execmd.exeicacls.execmd.execmd.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.execmd.execmd.exeicacls.execmd.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.execmd.exeicacls.exetakeown.exetakeown.execmd.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeregsvr32.exetakeown.execmd.exeicacls.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
Checks processor information in registry 2 TTPs 38 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exepid process 4852 taskkill.exe 672 -
Modifies Control Panel 64 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\Schemes rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\MenuFont = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\IconVerticalSpacing = "-1125" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\CustomColors = ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #21 = "6908265" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\InactiveTitleText = "67 78 84" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #1 = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\InfoText = "0 0 0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\MenuBar = "240 240 240" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #18 = "0" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\SmCaptionFont = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\Scrollbar = "200 200 200" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\Schemes rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Font #1 = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Font #3 = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #14 = "16777215" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #11 = "16578548" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\IconFont = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\IconSpacing = "-1125" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\InactiveBorder = "244 247 252" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\CaptionWidth = "-315" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\AppWorkspace = "171 171 171" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\ButtonHilight = "255 255 255" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #30 = "15790320" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\ButtonFace = "240 240 240" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Font #2 = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #0 = "13158600" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #16 = "10526880" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\MenuText = "0 0 0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\WindowText = "0 0 0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Size #6 = "17" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #2 = "13743257" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\PaddedBorderWidth = "-60" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\CONTROL PANEL\\COLORS rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\BorderWidth = "-15" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\ActiveTitle = "153 180 209" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Size #3 = "21" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #27 = "15389113" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\ButtonShadow = "160 160 160" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\ButtonDkShadow = "105 105 105" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\CaptionFont = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\MessageFont = f4ffffff0000000000000000000000009001000000000001000005005300650067006f006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Size #0 = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #4 = "15790320" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\UserPreferencesMask = 9e3e078012000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WindowMetrics\SmCaptionWidth = "-255" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #22 = "14935011" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\HotTrackingColor = "0 102 204" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Size #4 = "21" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Size #8 = "19" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #9 = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #10 = "11842740" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Size #5 = "17" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #5 = "16777215" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\GradientActiveTitle = "185 209 234" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\TitleText = "0 0 0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\MenuHilight = "51 153 255" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\Background = "0 0 0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\Window = "255 255 255" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\HilightText = "255 255 255" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Flat Menus = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #13 = "16750899" rundll32.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC61B68D-5661-11EF-890B-725FF0DF1EEB} = "0" Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000004adc2b7fa03361790d36a89fb9e4403128a4f589805d6026a6c211d134b5f1de000000000e8000000002000020000000a931630ec2dfee7368deae4169b1c74a426d55904036a0eb22a5deefcebbf3c820000000f21ee78c030464f57f3277cbcc20d8ea9166754b0ebbab75fdfc0c4c198dbeb540000000a650043aa03b8325c203311f5d8bf624de7e68bb590c2b04434eb2ffb7ff6bfd46a543210070ccfb58e5324a6cc9b148ff789101b8a325d847c577caa5f255f5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TypedURLs Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD1FA5C9-565F-11EF-890B-725FF0DF1EEB} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000ac8e8c35421fbd2b68ec22eeb83568e8c741beaa95dc4c7ce362ed52e167b8aa000000000e80000000020000200000007508303451ef8c07493c28087851100eb511c649d7ee8c7c20c4666f51dd6b509000000036f782e984a0c8ae77010db1f6828ff61550d9d97aaa71632718acfc0c50b87580fe938d0c90ceaefd95c51e7fe5e204c4362b7c4404d5992bd19bb20eae2f5fef473ef8f944126849b05fa1fe7a0ce97f3ac3ef73c345552e07db765460336e04a15151f33ee803c83ddbe9c4b850ecd4ba35ce21a7d79429b868348fae9a7e53b920862d31beb1bf4f99a6c6c9d5af4000000022b6ee1e93037517a11fa034bdbd666ee22fd213b804dc391351e96b2ad8b0b022544bec4cf6cd31f156073c19a4671475015049d573b7267ef32bfe7e4a5e6b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\MINIE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b957846ceada01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" -
Modifies registry class 64 IoCs
Processes:
BonziBDY_4.EXEBonziBuddy432.exeregsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57DA7E73-B94F-49A2-9FEF-9F4B40C8E221}\VERSION BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C6D21D6-7470-4555-A8FB-6C2292B39C46}\ProgID BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus\1 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8671A88-E5DD-11CD-836C-0000C0C14E92}\Version\ = "1.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A45DB4D-BD0D-11D2-8D14-00104B9E072A}\TypeLib\ = "{0A45DB48-BD0D-11D2-8D14-00104B9E072A}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "8" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B1BE807-567F-11D1-B652-0060976C699F}\Forward BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\ProgID BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.clsStoryReader\Clsid\ = "{F4900F6A-055F-11D4-8F9B-00104BA312D6}" BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1533A365-F76F-4518-8A56-4CD34547F8AB}\Control BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ = "IAgentCtlCommandsEx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B2676D5B-8D53-4569-AF2C-A55A0D90C132}\TypeLib\Version = "1.4" BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} BonziBuddy432.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{916694A8-8AD6-11D2-B6FD-0060976C699F}\ProxyStubClsid32 BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\ProgID\ = "Threed.SSCommand.3" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB61DB30-B032-11D0-A853-0000C02AC6DB}\TypeLib\Version = "2.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4900F6A-055F-11D4-8F9B-00104BA312D6}\Implemented Categories BonziBDY_4.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C2D7A0-0DE6-11D3-9DCF-9423F1B2561C}\TypeLib\Version = "1.0" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920FF31F-CA25-451A-9738-3444FC206BCC}\TypeLib BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB61DB30-B032-11D0-A853-0000C02AC6DB}\TypeLib BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8671A8B-E5DD-11CD-836C-0000C0C14E92}\1.0\ = "Sheridan Month/Year/DateCombo" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveTabs.SSTabs.2\CLSID\ = "{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA478DA0-3920-11D3-9DD0-8067E4A06603} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A45DB49-BD0D-11D2-8D14-00104B9E072A}\ProxyStubClsid32 BonziBuddy432.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 0100000000000000ffffffff Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4D7E3C7-3C26-4052-A993-71E500EA8C05}\Programmable BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22EB59AE-1CB8-4153-9DFC-B5CE048357CF}\ProgID\ = "BonziBUDDY.CPeriod" BonziBDY_4.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F}\ = "Microsoft Agent DocFile Provider 1.5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F59C2A4-4C01-4451-BE5B-09787B123A5E}\TypeLib BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D4B-2CDD-11D3-9DD0-D3CD4078982A}\ = "_ISkinLabelEvents" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\CLSID\ = "{DD9DA666-8594-11D1-B16A-00C0F0283628}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SSCalendar.SSDayCtrl.1 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4900F6B-055F-11D4-8F9B-00104BA312D6}\ProxyStubClsid BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{065E6FE6-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\TypeLib BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32 AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDA1CA04-8B5D-11D0-9BC0-0000C0F04C96}\ = "ISSReturnBoolean" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575} AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ = "ListViewEvents" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSCommand.3\ = "SSCommand Control 3.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{065E6FE0-1BF9-11D2-BAE8-00104B9E0792}\ = "ISSCheck" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinScrollBar.1\CLSID BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\CLSID BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62FCAC31-2581-11D2-BAF1-00104B9E0792}\ = "DSSOption" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{14E27A73-69F0-11CE-9425-0000C0C14E92} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.CCalendarVBPeriods BonziBDY_4.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53FA8D42-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}" BonziBuddy432.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" -
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 -
NTFS ADS 4 IoCs
Processes:
firefox.exefirefox.exedescription ioc process File created C:\Users\Admin\Downloads\Bon.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\wp4073802.webp:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeBonzify.exepid process 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 2856 Bonzify.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 4388 -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
taskmgr.exepid process 4692 taskmgr.exe 4128 2728 1328 4388 3404 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exe7zG.exe7zG.exeMSAGENT.EXEtv_enua.exeSndVol.exeAgentSvr.exefirefox.exedescription pid process Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeDebugPrivilege 1336 firefox.exe Token: SeRestorePrivilege 3164 7zG.exe Token: 35 3164 7zG.exe Token: SeSecurityPrivilege 3164 7zG.exe Token: SeSecurityPrivilege 3164 7zG.exe Token: SeRestorePrivilege 2112 7zG.exe Token: 35 2112 7zG.exe Token: SeSecurityPrivilege 2112 7zG.exe Token: SeSecurityPrivilege 2112 7zG.exe Token: SeRestorePrivilege 2512 MSAGENT.EXE Token: SeRestorePrivilege 2512 MSAGENT.EXE Token: SeRestorePrivilege 2512 MSAGENT.EXE Token: SeRestorePrivilege 2512 MSAGENT.EXE Token: SeRestorePrivilege 2512 MSAGENT.EXE Token: SeRestorePrivilege 2512 MSAGENT.EXE Token: SeRestorePrivilege 2512 MSAGENT.EXE Token: SeRestorePrivilege 3408 tv_enua.exe Token: SeRestorePrivilege 3408 tv_enua.exe Token: SeRestorePrivilege 3408 tv_enua.exe Token: SeRestorePrivilege 3408 tv_enua.exe Token: SeRestorePrivilege 3408 tv_enua.exe Token: SeRestorePrivilege 3408 tv_enua.exe Token: SeRestorePrivilege 3408 tv_enua.exe Token: 33 3388 SndVol.exe Token: SeIncBasePriorityPrivilege 3388 SndVol.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: SeDebugPrivilege 2056 firefox.exe Token: SeDebugPrivilege 2056 firefox.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe Token: 33 3864 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3864 AgentSvr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exeiexplore.exe7zG.exe7zG.exeSndVol.exeSndVol.exeAgentSvr.exeBonziBDY_4.EXEpid process 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 2920 iexplore.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 3164 7zG.exe 2112 7zG.exe 3728 SndVol.exe 3728 SndVol.exe 3388 SndVol.exe 3864 AgentSvr.exe 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exeSndVol.exeSndVol.exeAgentSvr.exefirefox.exeAgentSvr.exetaskmgr.exepid process 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 3728 SndVol.exe 3728 SndVol.exe 3728 SndVol.exe 3728 SndVol.exe 3388 SndVol.exe 3388 SndVol.exe 3864 AgentSvr.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2524 AgentSvr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 2524 AgentSvr.exe 4692 taskmgr.exe 4128 4128 4692 taskmgr.exe 4692 taskmgr.exe 4128 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4128 4692 taskmgr.exe 4128 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe 4692 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEfirefox.exeBonziBDY_4.EXEiexplore.exeIEXPLORE.EXEfirefox.exepid process 2920 iexplore.exe 2920 iexplore.exe 2636 IEXPLORE.EXE 2636 IEXPLORE.EXE 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 2636 IEXPLORE.EXE 2636 IEXPLORE.EXE 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 1336 firefox.exe 3560 BonziBDY_4.EXE 3560 BonziBDY_4.EXE 2864 iexplore.exe 2864 iexplore.exe 1300 IEXPLORE.EXE 1300 IEXPLORE.EXE 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe 2056 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1960 wrote to memory of 1336 1960 firefox.exe firefox.exe PID 1336 wrote to memory of 2820 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2820 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2820 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2364 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2440 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2440 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2440 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2440 1336 firefox.exe firefox.exe PID 1336 wrote to memory of 2440 1336 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://bonzi.link"1⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://bonzi.link2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.0.783634963\1044154913" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc523fa8-fab1-4453-b62d-c31550297b91} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 1304 10ff4158 gpu3⤵PID:2820
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.1.1256526970\1654260514" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9da7af5b-7ced-4020-aff7-16de02ddfd26} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 1504 d71658 socket3⤵
- Checks processor information in registry
PID:2364 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.2.1447415296\1826440924" -childID 1 -isForBrowser -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fc75df-27ab-4eb3-a3ca-1c6f0bb04c51} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 2088 1a2c9558 tab3⤵PID:2440
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.3.1792370936\1728790187" -childID 2 -isForBrowser -prefsHandle 2680 -prefMapHandle 2676 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82e3dc60-af98-424c-b916-165c69ae3d44} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 2688 1c33d358 tab3⤵PID:308
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.4.441131577\1716624618" -childID 3 -isForBrowser -prefsHandle 1108 -prefMapHandle 3852 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b5f5ea9-bb69-4e2c-9f05-33f597270d5f} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3872 1ec9e258 tab3⤵PID:2488
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.5.366477787\1811566002" -childID 4 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ed8e53-23ce-4a3f-9747-e6ca01c7d874} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3976 214ae458 tab3⤵PID:1960
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.6.1043808884\1414091929" -childID 5 -isForBrowser -prefsHandle 4152 -prefMapHandle 4156 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1f65596-0783-4655-98e4-01dafdc24fde} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 4144 214afc58 tab3⤵PID:2840
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.7.1776352154\1653856721" -childID 6 -isForBrowser -prefsHandle 3812 -prefMapHandle 2800 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bb373e7-a9cb-4912-8d68-4645d712873a} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3332 21ff5258 tab3⤵PID:1184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.8.1860701603\1618749644" -childID 7 -isForBrowser -prefsHandle 3068 -prefMapHandle 3204 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {235c3b69-7f0a-4ac0-a9e9-4c940585d8cc} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3056 21ff8858 tab3⤵PID:1304
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.9.1519736350\207174318" -childID 8 -isForBrowser -prefsHandle 4452 -prefMapHandle 4456 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af8376bd-4648-4326-93a1-06caa027bb0c} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 4440 21ff6158 tab3⤵PID:1248
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.10.112867821\323520896" -childID 9 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1983b08-56bf-4b7b-842e-98aeba666311} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 1808 d65358 tab3⤵PID:3872
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.11.474540957\1211949853" -childID 10 -isForBrowser -prefsHandle 7996 -prefMapHandle 7988 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1671072-8e78-453f-9c29-d321a71dcf46} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 7884 11498358 tab3⤵PID:3392
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.12.443530358\1186059856" -childID 11 -isForBrowser -prefsHandle 7768 -prefMapHandle 7764 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed6ecedc-0a83-44fb-abe6-52662cc2603e} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 7780 11498958 tab3⤵PID:3312
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.13.668857870\1151972314" -childID 12 -isForBrowser -prefsHandle 7680 -prefMapHandle 7676 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91fb7f27-c122-4806-bc77-f20f6671dc97} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 7576 24f58c58 tab3⤵PID:3504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.14.809333211\151112326" -childID 13 -isForBrowser -prefsHandle 7788 -prefMapHandle 7792 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ab5965b-b934-45f6-bf81-df09bd14b4a4} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 7872 11498358 tab3⤵PID:3884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.15.1500237683\874152225" -childID 14 -isForBrowser -prefsHandle 7612 -prefMapHandle 3792 -prefsLen 26845 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d059a43f-1a96-4648-a108-de599f3dc2c2} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3492 21e26a58 tab3⤵PID:3048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.16.1934110989\332552057" -childID 15 -isForBrowser -prefsHandle 7592 -prefMapHandle 7896 -prefsLen 26845 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e58e8bfc-ee6e-4cc2-b09a-982261ee1f32} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 4564 2641e758 tab3⤵PID:2520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.17.1435641827\1858738757" -childID 16 -isForBrowser -prefsHandle 7392 -prefMapHandle 4048 -prefsLen 26845 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55985354-43af-4cdf-baf7-3bab35dafea7} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 8528 2684e658 tab3⤵PID:3412
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.18.1965308762\1557587052" -childID 17 -isForBrowser -prefsHandle 8200 -prefMapHandle 3504 -prefsLen 26845 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19cf130c-32b8-4a25-a5a9-96c2be0f839e} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3000 27697358 tab3⤵PID:3164
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:756
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1548
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:3036
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,Advanced,@Advanced1⤵
- Modifies Control Panel
PID:1796
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,Advanced,@Advanced1⤵
- Modifies Control Panel
PID:996
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=1092861⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2636 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:799753 /prefetch:22⤵PID:3228
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2576
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6140:68:7zEvent318871⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3164
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6995:64:7zEvent71751⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2112
-
C:\Users\Admin\Desktop\BonziBuddy432.exe"C:\Users\Admin\Desktop\BonziBuddy432.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "2⤵
- Loads dropped DLL
PID:3080 -
C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXEMSAGENT.EXE3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"4⤵
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"4⤵
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"4⤵
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"4⤵
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"4⤵
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"4⤵
- Loads dropped DLL
PID:1108 -
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵PID:2860
-
C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exetv_enua.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll4⤵
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll4⤵
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵PID:2224
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1876
-
C:\Windows\system32\SndVol.exeSndVol.exe -f 68945686 184671⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3728 -
C:\Windows\system32\SndVol.exeSndVol.exe -r 68945686 0 {0.0.0.00000000}.{494ac999-4740-4e72-9bad-a3628eb24cfa}2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388
-
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3560
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3864
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4068
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.0.812832610\245215714" -parentBuildID 20221007134813 -prefsHandle 1124 -prefMapHandle 1116 -prefsLen 21306 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc532df0-964d-482b-83af-86dee8e09d61} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 1208 f7f9258 gpu3⤵PID:1384
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.1.759974804\1688194283" -parentBuildID 20221007134813 -prefsHandle 1336 -prefMapHandle 1332 -prefsLen 21351 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb0c2dbb-d617-4692-88b0-4ec5d92ad914} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 1360 eb3f458 socket3⤵
- Checks processor information in registry
PID:2604 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.2.1583442817\664879438" -childID 1 -isForBrowser -prefsHandle 2016 -prefMapHandle 2012 -prefsLen 21812 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c61703aa-fcf0-43d8-9fea-3166facba522} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 2028 1a277258 tab3⤵PID:3776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.3.2039220711\1697076402" -childID 2 -isForBrowser -prefsHandle 2528 -prefMapHandle 2516 -prefsLen 26997 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a40e73e9-f7e7-4f83-8552-344ca51fd7cd} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 2532 1c19ae58 tab3⤵PID:3580
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.4.182310759\1086348581" -childID 3 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 26997 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4bb7d73-fdf2-4465-80d1-3a4e5efdd8ad} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 2768 1c9cce58 tab3⤵PID:2100
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.5.1137447730\1713784441" -childID 4 -isForBrowser -prefsHandle 3364 -prefMapHandle 3380 -prefsLen 26997 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae124a29-bb64-4612-b39a-39d912f33204} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3360 1aeaae58 tab3⤵PID:3380
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.6.1104476266\1990714617" -childID 5 -isForBrowser -prefsHandle 3544 -prefMapHandle 3556 -prefsLen 26997 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd45cb6c-a251-4a35-a831-1fec4791a2ae} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3532 1d9e2e58 tab3⤵PID:3656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.7.1322895084\2093808617" -childID 6 -isForBrowser -prefsHandle 3624 -prefMapHandle 3628 -prefsLen 26997 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a98283-7394-4759-b501-4fff0704ac8b} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3612 1eef3e58 tab3⤵PID:3416
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.8.381944852\102800740" -childID 7 -isForBrowser -prefsHandle 4108 -prefMapHandle 4124 -prefsLen 26997 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2b862ee-8ccd-47fe-a160-c025a81a2483} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 4140 21a94c58 tab3⤵PID:1240
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.9.215003069\1981387574" -childID 8 -isForBrowser -prefsHandle 1588 -prefMapHandle 1584 -prefsLen 27006 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f31aaaec-c26f-4642-b230-e75f4ba11dca} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 1852 1c21ab58 tab3⤵PID:756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.10.1372264191\1217637551" -childID 9 -isForBrowser -prefsHandle 3776 -prefMapHandle 3716 -prefsLen 27006 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fde287af-6ea7-45aa-92de-d4baabf1644d} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3612 1f77b858 tab3⤵PID:2776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.11.1788152548\902271762" -childID 10 -isForBrowser -prefsHandle 4524 -prefMapHandle 4528 -prefsLen 27006 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {227e84ba-eeee-4581-806b-0a95add54733} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 4512 1f77d958 tab3⤵PID:292
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.12.1965912592\2057399211" -childID 11 -isForBrowser -prefsHandle 4120 -prefMapHandle 4176 -prefsLen 27006 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cec6cc4-2f6f-4dc7-a43f-06cfbab82f44} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 4244 21ad3e58 tab3⤵PID:1780
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.13.1125509121\116013301" -childID 12 -isForBrowser -prefsHandle 2768 -prefMapHandle 2892 -prefsLen 27006 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a590be48-2b10-4bae-8bfc-b721a80c5423} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 1620 21993a58 tab3⤵PID:2020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.14.1910673715\2126979476" -childID 13 -isForBrowser -prefsHandle 8604 -prefMapHandle 4416 -prefsLen 27342 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf541732-d5a3-480f-85b7-ec42059936ff} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 2768 1ee49058 tab3⤵PID:2720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.15.1494907295\1634345245" -childID 14 -isForBrowser -prefsHandle 8460 -prefMapHandle 8464 -prefsLen 27342 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39309536-db5d-4160-894c-61b5704e051a} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 4416 1c219558 tab3⤵PID:2368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.16.1964472680\1979185737" -childID 15 -isForBrowser -prefsHandle 8324 -prefMapHandle 8460 -prefsLen 27342 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b0d228-e16f-4832-b575-8f91fc731b3c} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 8516 e65058 tab3⤵PID:2596
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.17.819143908\371894513" -childID 16 -isForBrowser -prefsHandle 7684 -prefMapHandle 7680 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5414bcbc-7de0-4558-a4c4-f0b120d10195} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7644 229ef858 tab3⤵PID:2984
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.18.1402918675\91659363" -parentBuildID 20221007134813 -prefsHandle 7472 -prefMapHandle 7680 -prefsLen 27351 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4318aa1e-e921-4e76-b313-204b193b7c12} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7684 2925cb58 rdd3⤵PID:2036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.19.1731632904\182859897" -childID 17 -isForBrowser -prefsHandle 8384 -prefMapHandle 8372 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {589d4876-c3e2-470d-b64d-af12a5c88a89} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 8388 1f77d958 tab3⤵PID:4452
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.20.391115887\1656660924" -childID 18 -isForBrowser -prefsHandle 3968 -prefMapHandle 8576 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea08af41-4011-4d34-9dae-585d7f2c63b5} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 1620 1f77eb58 tab3⤵PID:4460
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.21.581971575\438386730" -childID 19 -isForBrowser -prefsHandle 4668 -prefMapHandle 8436 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01335d20-8ccc-4f4c-8ea1-f36a6ebf98bd} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3608 f1e1058 tab3⤵PID:4860
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.22.1180876731\559222321" -childID 20 -isForBrowser -prefsHandle 1780 -prefMapHandle 1884 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {153f9fe7-bc20-4e2b-9a55-24abc2bc2ca1} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 4396 1c21c958 tab3⤵PID:5044
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.23.740285367\104406705" -childID 21 -isForBrowser -prefsHandle 8600 -prefMapHandle 8332 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f2bb7c0-ebb1-489e-bc97-b2b602a76e2f} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7960 e65058 tab3⤵PID:2720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.24.604238685\790644739" -childID 22 -isForBrowser -prefsHandle 4212 -prefMapHandle 4480 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcde7687-d68f-4566-81b6-516f8f0c1f50} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 2824 1f77e558 tab3⤵PID:4188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.25.216679311\1634333904" -childID 23 -isForBrowser -prefsHandle 4660 -prefMapHandle 8336 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efe272de-00d4-476b-9b57-7a9009d0933b} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 4604 f1e1f58 tab3⤵PID:4276
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.26.1817764562\1882892051" -childID 24 -isForBrowser -prefsHandle 4688 -prefMapHandle 4596 -prefsLen 27351 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {190626a9-e0eb-4b32-8c51-c27872a5bc07} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 8584 1c2f7558 tab3⤵PID:4348
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.27.1159200782\848186151" -childID 25 -isForBrowser -prefsHandle 7664 -prefMapHandle 7964 -prefsLen 27360 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6e2fdfc-1fc6-48ca-80ff-54ebf24b5691} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7904 21994f58 tab3⤵PID:3176
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.28.1523615548\172129068" -childID 26 -isForBrowser -prefsHandle 2836 -prefMapHandle 8236 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2494e261-3ca4-42a6-9363-de6e7350e8fa} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3612 1c21d858 tab3⤵PID:4784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.29.1041142459\52594251" -childID 27 -isForBrowser -prefsHandle 3808 -prefMapHandle 1796 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4430bf3d-1eae-4055-b5f4-1002cf6872b7} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 8432 1c9cce58 tab3⤵PID:3660
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.30.1169455923\1496046373" -childID 28 -isForBrowser -prefsHandle 7952 -prefMapHandle 2748 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e6ba0d0-60ae-49d7-9e3c-38558d9c58ff} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7592 22492858 tab3⤵PID:5060
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.31.958516904\873474316" -childID 29 -isForBrowser -prefsHandle 7244 -prefMapHandle 3852 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d249428b-925b-480c-82a9-2efbcf711c6b} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 8060 2248fb58 tab3⤵PID:4968
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.32.1109537557\999472241" -childID 30 -isForBrowser -prefsHandle 4236 -prefMapHandle 7920 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da91fa1-d0dc-4539-85cb-bab82341fcd6} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7528 2916dc58 tab3⤵PID:4848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.33.1714109139\724376332" -childID 31 -isForBrowser -prefsHandle 2996 -prefMapHandle 4204 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26cf9788-f8dc-4b7d-925c-ce1d368c26cf} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 4568 22335658 tab3⤵PID:3828
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.34.1687168056\950938215" -childID 32 -isForBrowser -prefsHandle 7520 -prefMapHandle 3580 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c1d8af-c26c-49d1-9a2b-6364ad62e214} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3780 29480c58 tab3⤵PID:4588
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.35.1209663147\119431065" -childID 33 -isForBrowser -prefsHandle 8512 -prefMapHandle 3560 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24704b31-1e6a-4bf9-8ecb-5d2a21095d61} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7904 f0a4c58 tab3⤵PID:3532
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.36.1421675917\1097031120" -childID 34 -isForBrowser -prefsHandle 3660 -prefMapHandle 3968 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f30a9e5c-1625-48df-917e-6f7d8b030a6c} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 6988 ee47058 tab3⤵PID:3024
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.37.981024071\1563320119" -childID 35 -isForBrowser -prefsHandle 8392 -prefMapHandle 8320 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {208ddb24-91a5-442f-84df-338132f2427b} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 8388 e2db58 tab3⤵PID:2408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.38.1433830682\301898445" -childID 36 -isForBrowser -prefsHandle 3792 -prefMapHandle 3796 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13c1b0df-db13-4a05-af7f-ccfbb833f6d6} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 3476 296bc858 tab3⤵PID:4132
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.39.1083045442\2038991706" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 4288 -prefMapHandle 8644 -prefsLen 27895 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32529583-f8bc-4779-af72-b8368678e956} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 8320 2b73c658 utility3⤵PID:2616
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2056.40.208508694\145172663" -childID 37 -isForBrowser -prefsHandle 8480 -prefMapHandle 3540 -prefsLen 27895 -prefMapSize 233536 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b94028e-ce01-4997-b086-49bcfc504326} 2056 "\\.\pipe\gecko-crash-server-pipe.2056" 7616 2f8b2058 tab3⤵PID:4484
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:1300
-
C:\Users\Admin\Desktop\Bonzify.exe"C:\Users\Admin\Desktop\Bonzify.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵PID:4340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- Kills process with taskkill
PID:4852 -
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵PID:4884
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5008 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵PID:468
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵
- Modifies registry class
PID:4088 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵PID:4168
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵PID:3092
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵PID:3048
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵PID:3536
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"2⤵PID:3924
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"3⤵PID:3784
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)3⤵PID:4992
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3772 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe"3⤵PID:3036
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4256 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe"2⤵PID:4904
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe"3⤵PID:4316
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe" /grant "everyone":(f)3⤵PID:1524
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe"2⤵PID:3064
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe"3⤵
- Possible privilege escalation attempt
PID:3752 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe" /grant "everyone":(f)3⤵PID:3836
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe"2⤵PID:2680
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe"3⤵PID:3908
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe" /grant "everyone":(f)3⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:2448 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll3⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll3⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵PID:4432
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe"2⤵PID:3240
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe"3⤵
- Possible privilege escalation attempt
PID:2140 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe" /grant "everyone":(f)3⤵PID:2812
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe"3⤵PID:2612
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe" /grant "everyone":(f)3⤵PID:2724
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe"2⤵PID:1676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe"3⤵
- Modifies file permissions
PID:1776 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3380 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe"2⤵PID:1996
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe"3⤵PID:844
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe" /grant "everyone":(f)3⤵PID:2308
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe"2⤵PID:1312
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe"3⤵PID:1576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe" /grant "everyone":(f)3⤵PID:2672
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe"2⤵PID:2616
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe"3⤵PID:3720
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:1216 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe"2⤵PID:2008
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe"3⤵PID:3280
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe" /grant "everyone":(f)3⤵PID:1828
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe"2⤵PID:564
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe"3⤵PID:280
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe" /grant "everyone":(f)3⤵PID:2404
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe"2⤵PID:3408
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe"3⤵PID:1604
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2572 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe"2⤵PID:2332
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe"3⤵PID:3968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3216 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe"2⤵PID:3992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe"3⤵PID:3640
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe" /grant "everyone":(f)3⤵PID:3584
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\0246845f487e5f33d3564eff578665a3\PresentationFontCache.ni.exe"2⤵PID:2600
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\0246845f487e5f33d3564eff578665a3\PresentationFontCache.ni.exe"3⤵PID:1804
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\0246845f487e5f33d3564eff578665a3\PresentationFontCache.ni.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:5096 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe"2⤵PID:3712
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe"3⤵PID:2424
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe" /grant "everyone":(f)3⤵PID:4924
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe"2⤵PID:2452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe"3⤵PID:4016
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe" /grant "everyone":(f)3⤵PID:664
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe"2⤵PID:3832
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe"3⤵PID:1428
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4024 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe"2⤵PID:2360
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe"3⤵PID:3392
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe" /grant "everyone":(f)3⤵PID:3676
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe"2⤵PID:3900
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe"3⤵PID:884
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe"2⤵PID:544
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe"3⤵PID:980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe" /grant "everyone":(f)3⤵PID:4500
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe"2⤵PID:2088
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe"3⤵
- Possible privilege escalation attempt
PID:2692 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe" /grant "everyone":(f)3⤵PID:5052
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe"2⤵PID:4092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe"3⤵PID:3904
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe" /grant "everyone":(f)3⤵PID:4004
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe"2⤵PID:4588
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe"3⤵
- Possible privilege escalation attempt
PID:1120 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe" /grant "everyone":(f)3⤵PID:1808
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe"2⤵PID:4464
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe"3⤵PID:3564
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe" /grant "everyone":(f)3⤵PID:4136
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe"2⤵PID:4544
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe"3⤵PID:1952
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe"2⤵PID:4984
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe"3⤵PID:3084
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe" /grant "everyone":(f)3⤵PID:852
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe"2⤵PID:3532
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe"3⤵PID:3356
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe" /grant "everyone":(f)3⤵PID:2676
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.exe"2⤵PID:5088
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5024 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.exe" /grant "everyone":(f)3⤵PID:2996
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\bfsvc.exe"2⤵PID:2992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\bfsvc.exe"3⤵PID:2472
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\bfsvc.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4788 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵PID:988
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵PID:2388
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4232 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Boot\PCAT\memtest.exe"2⤵PID:1184
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Boot\PCAT\memtest.exe"3⤵PID:4236
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Boot\PCAT\memtest.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\CreateDisc\SBEServer.exe"2⤵PID:4916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\CreateDisc\SBEServer.exe"3⤵PID:4340
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\CreateDisc\SBEServer.exe" /grant "everyone":(f)3⤵PID:4940
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehexthost.exe"2⤵PID:2440
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehexthost.exe"3⤵
- Possible privilege escalation attempt
PID:4988 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehexthost.exe" /grant "everyone":(f)3⤵PID:3660
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehmsas.exe"2⤵PID:3420
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehmsas.exe"3⤵PID:4068
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehmsas.exe" /grant "everyone":(f)3⤵PID:2304
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehprivjob.exe"2⤵PID:4636
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehprivjob.exe"3⤵PID:1972
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehprivjob.exe" /grant "everyone":(f)3⤵PID:1108
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehrec.exe"2⤵PID:3016
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehrec.exe"3⤵
- Modifies file permissions
PID:4516 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehrec.exe" /grant "everyone":(f)3⤵PID:4828
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehrecvr.exe"2⤵PID:3088
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehrecvr.exe"3⤵
- Modifies file permissions
PID:2024 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehrecvr.exe" /grant "everyone":(f)3⤵PID:3784
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehsched.exe"2⤵PID:4912
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehsched.exe"3⤵
- Possible privilege escalation attempt
PID:3336 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehsched.exe" /grant "everyone":(f)3⤵PID:2316
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehshell.exe"2⤵PID:2804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehshell.exe"3⤵PID:3668
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehshell.exe" /grant "everyone":(f)3⤵PID:3364
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehtray.exe"2⤵PID:5044
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehtray.exe"3⤵
- Possible privilege escalation attempt
PID:2948 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehtray.exe" /grant "everyone":(f)3⤵PID:3012
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\ehvid.exe"2⤵PID:3792
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\ehvid.exe"3⤵PID:3616
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\ehvid.exe" /grant "everyone":(f)3⤵PID:4700
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\loadmxf.exe"2⤵PID:4548
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\loadmxf.exe"3⤵PID:2896
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\loadmxf.exe" /grant "everyone":(f)3⤵PID:5028
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\mcGlidHost.exe"2⤵PID:4992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\mcGlidHost.exe"3⤵PID:3228
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\mcGlidHost.exe" /grant "everyone":(f)3⤵PID:2392
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\McrMgr.exe"2⤵PID:3868
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\McrMgr.exe"3⤵PID:4760
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\McrMgr.exe" /grant "everyone":(f)3⤵PID:3032
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\mcspad.exe"2⤵PID:2644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\mcspad.exe"3⤵PID:2968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\mcspad.exe" /grant "everyone":(f)3⤵PID:1240
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\mcupdate.exe"2⤵PID:2584
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\mcupdate.exe"3⤵
- Possible privilege escalation attempt
PID:3816 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\mcupdate.exe" /grant "everyone":(f)3⤵PID:4756
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\Mcx2Prov.exe"2⤵PID:2764
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\Mcx2Prov.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\Mcx2Prov.exe" /grant "everyone":(f)3⤵PID:4824
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\McxTask.exe"2⤵PID:4284
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\McxTask.exe"3⤵PID:2784
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\McxTask.exe" /grant "everyone":(f)3⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\MediaCenterWebLauncher.exe"2⤵PID:2488
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\MediaCenterWebLauncher.exe"3⤵PID:4156
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\MediaCenterWebLauncher.exe" /grant "everyone":(f)3⤵PID:4144
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\RegisterMCEApp.exe"2⤵PID:4252
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\RegisterMCEApp.exe"3⤵PID:4248
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\RegisterMCEApp.exe" /grant "everyone":(f)3⤵PID:4892
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\wow\ehexthost32.exe"2⤵PID:3928
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\wow\ehexthost32.exe"3⤵PID:3036
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\wow\ehexthost32.exe" /grant "everyone":(f)3⤵PID:5104
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ehome\WTVConverter.exe"2⤵PID:5000
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ehome\WTVConverter.exe"3⤵PID:4168
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ehome\WTVConverter.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4872 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"2⤵PID:772
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\explorer.exe"3⤵PID:2684
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\explorer.exe" /grant "everyone":(f)3⤵PID:4196
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\fveupdate.exe"2⤵PID:2748
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\fveupdate.exe"3⤵PID:3612
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\fveupdate.exe" /grant "everyone":(f)3⤵PID:3948
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"2⤵PID:3484
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\HelpPane.exe"3⤵PID:1516
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"2⤵PID:1728
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\hh.exe"3⤵
- Possible privilege escalation attempt
PID:2828 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\hh.exe" /grant "everyone":(f)3⤵PID:3340
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe"2⤵PID:4740
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe"3⤵PID:5092
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe" /grant "everyone":(f)3⤵PID:4820
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe"2⤵PID:4804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe"3⤵PID:1560
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe"2⤵PID:4816
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe"3⤵PID:4720
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4204 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe"3⤵PID:4608
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe" /grant "everyone":(f)3⤵PID:3604
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe"3⤵PID:4076
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe" /grant "everyone":(f)3⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe"2⤵PID:2912
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe"3⤵PID:2652
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3908 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe"2⤵PID:4652
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe"3⤵PID:3276
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4684 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe"2⤵PID:276
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe"3⤵PID:3344
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe" /grant "everyone":(f)3⤵PID:4292
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe"2⤵PID:4296
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe"3⤵PID:3508
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe" /grant "everyone":(f)3⤵PID:3776
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe"2⤵PID:4364
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe"3⤵PID:4468
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe" /grant "everyone":(f)3⤵PID:4528
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe"2⤵PID:4532
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe"3⤵PID:4312
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe"2⤵PID:484
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe"3⤵PID:3260
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe" /grant "everyone":(f)3⤵PID:3316
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe"2⤵PID:3112
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe"3⤵PID:4812
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe" /grant "everyone":(f)3⤵PID:2336
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe"2⤵PID:4080
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe"3⤵
- Possible privilege escalation attempt
PID:928 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe"2⤵PID:4176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe"3⤵PID:3512
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe" /grant "everyone":(f)3⤵PID:3188
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"2⤵PID:2100
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"3⤵PID:2780
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)3⤵PID:3416
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"2⤵PID:4452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"3⤵
- Modifies file permissions
PID:4424 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)3⤵PID:3360
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵PID:2448
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)3⤵PID:1624
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵PID:2112
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
- Possible privilege escalation attempt
PID:2660 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)3⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"2⤵PID:2492
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"3⤵PID:3716
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)3⤵PID:4752
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"2⤵PID:3240
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"3⤵PID:2612
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)3⤵PID:2724
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"2⤵PID:1736
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"3⤵
- Modifies file permissions
PID:2252 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)3⤵PID:1812
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"2⤵PID:1676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)3⤵PID:1996
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"2⤵PID:320
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"3⤵PID:2672
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)3⤵PID:2396
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"2⤵PID:3744
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵PID:3980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)3⤵PID:2264
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"2⤵PID:2412
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵PID:2372
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)3⤵PID:2096
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:280 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)3⤵PID:1956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"2⤵PID:3168
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"3⤵PID:3040
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)3⤵PID:2036
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"2⤵PID:5064
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"3⤵PID:2332
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)3⤵PID:3640
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"2⤵PID:3584
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"3⤵PID:848
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)3⤵PID:3116
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"2⤵PID:3180
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Modifies file permissions
PID:5080 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"2⤵PID:3712
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"3⤵
- Modifies file permissions
PID:4016 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)3⤵PID:664
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵PID:2376
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵PID:2840
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)3⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"2⤵PID:3124
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"3⤵PID:2932
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)3⤵PID:2360
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"2⤵PID:3256
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"3⤵PID:3620
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3896 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:4604
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:4948
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)3⤵PID:3352
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵PID:2692
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:2088
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3656 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵PID:4600
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵PID:4212
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"2⤵PID:3128
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"3⤵PID:2512
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3564 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"2⤵PID:4136
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"3⤵PID:1852
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" /grant "everyone":(f)3⤵PID:4972
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"2⤵PID:5084
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"3⤵PID:4776
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)3⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"2⤵PID:4984
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"3⤵
- Modifies file permissions
PID:3356 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)3⤵PID:2676
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"2⤵PID:3704
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"3⤵PID:1352
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)3⤵PID:1980
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"2⤵PID:3880
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"3⤵PID:1580
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)3⤵PID:4788
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"2⤵PID:2540
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"3⤵PID:2388
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)3⤵PID:4232
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"2⤵PID:1644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"3⤵PID:4236
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)3⤵PID:4852
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"2⤵PID:2300
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"3⤵PID:4340
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)3⤵PID:4940
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"2⤵PID:3152
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"3⤵PID:4988
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3660 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"2⤵PID:388
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"3⤵PID:4068
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)3⤵PID:2304
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"2⤵PID:4456
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"3⤵PID:1972
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)3⤵PID:1108
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"2⤵PID:1796
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"3⤵
- Modifies file permissions
PID:4516 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)3⤵PID:4828
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"2⤵PID:4520
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"3⤵PID:2024
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3784 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"2⤵PID:2756
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"3⤵PID:3336
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)3⤵PID:2316
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"2⤵PID:2164
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"3⤵PID:2328
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)3⤵PID:4612
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"2⤵PID:3332
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4692 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)3⤵PID:3616
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:4700
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:2872
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)3⤵PID:1548
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"2⤵PID:1944
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"3⤵PID:4704
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)3⤵PID:3120
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1744
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4992
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)3⤵PID:976
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵PID:4072
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:5060
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:2860
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Modifies file permissions
PID:1240 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵PID:1768
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵PID:3500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)3⤵PID:4184
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"2⤵PID:2904
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"3⤵PID:4180
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)3⤵PID:4824
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"2⤵PID:2640
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"3⤵PID:2784
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)3⤵PID:2976
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:4284
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵PID:4152
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)3⤵PID:2016
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:3664
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵PID:5108
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)3⤵PID:4248
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"2⤵PID:4892
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"3⤵PID:468
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4088 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:1908
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵PID:3928
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)3⤵PID:4860
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵PID:4896
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Modifies file permissions
PID:2248 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)3⤵PID:3092
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"2⤵PID:2684
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"3⤵PID:616
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)3⤵PID:772
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"2⤵PID:3544
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"3⤵PID:4272
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)3⤵PID:2884
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"3⤵PID:1492
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)3⤵PID:3484
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵PID:3596
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵PID:4116
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)3⤵PID:3684
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵PID:1728
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵PID:4768
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)3⤵PID:4280
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:4336
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:2736
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)3⤵PID:2212
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵PID:2796
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"3⤵PID:2456
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)3⤵PID:1264
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:1180
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:1588
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)3⤵PID:3888
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"2⤵PID:2348
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵PID:4660
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵PID:4076
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵PID:2084
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)3⤵PID:2340
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2104
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Modifies file permissions
PID:4668 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)3⤵PID:1376
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:4648
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:3556
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)3⤵PID:4664
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"2⤵PID:4644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"3⤵PID:4656
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" /grant "everyone":(f)3⤵PID:2648
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"2⤵PID:3344
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"3⤵PID:276
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)3⤵PID:1968
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"2⤵PID:3508
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"3⤵PID:4296
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4372 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:4468
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Modifies file permissions
PID:4364 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4560 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"2⤵PID:4312
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"3⤵PID:4532
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)3⤵PID:4568
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"2⤵PID:3260
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"3⤵PID:484
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)3⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"2⤵PID:2740
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"3⤵PID:2312
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)3⤵PID:1236
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"2⤵PID:4268
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"3⤵PID:2732
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)3⤵PID:3748
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"2⤵PID:3736
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"3⤵PID:2504
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"2⤵PID:3416
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"3⤵PID:3172
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)3⤵PID:4424
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"2⤵PID:3360
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"3⤵PID:2044
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)3⤵PID:4128
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"2⤵PID:1624
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"3⤵PID:3696
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)3⤵PID:2660
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"2⤵PID:1540
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"3⤵PID:1780
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)3⤵PID:3716
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"2⤵PID:4752
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"3⤵PID:2608
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2612 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"2⤵PID:2724
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"3⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)3⤵PID:2252
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"2⤵PID:1812
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"3⤵PID:844
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"2⤵PID:1996
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"3⤵PID:2156
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2672 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"2⤵PID:2396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"3⤵PID:3636
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)3⤵PID:3980
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"2⤵PID:2264
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"3⤵PID:1684
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)3⤵PID:2372
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"2⤵PID:2096
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"3⤵PID:2404
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)3⤵PID:268
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"2⤵PID:1956
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"3⤵PID:1308
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)3⤵PID:3040
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"3⤵PID:1664
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)3⤵PID:2332
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"2⤵PID:3640
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"3⤵PID:3756
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)3⤵PID:848
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"2⤵PID:3116
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"3⤵PID:3680
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)3⤵PID:5080
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"2⤵PID:1324
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"3⤵PID:4044
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)3⤵PID:4016
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"2⤵PID:664
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"3⤵PID:4032
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)3⤵PID:2840
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"2⤵PID:2108
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"3⤵PID:3392
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2932 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"2⤵PID:2360
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"3⤵PID:2876
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)3⤵PID:3620
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"2⤵PID:3896
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"3⤵PID:4624
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)3⤵PID:4948
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"2⤵PID:3352
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"3⤵PID:5052
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe" /grant "everyone":(f)3⤵PID:2088
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"2⤵PID:3656
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"3⤵
- Possible privilege escalation attempt
PID:4900 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)3⤵PID:4212
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"2⤵PID:868
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"3⤵PID:4588
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)3⤵PID:2512
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"2⤵PID:3564
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"3⤵
- Modifies file permissions
PID:4140 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2464 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4776 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"2⤵PID:2576
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)3⤵PID:3356
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"2⤵PID:2676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"3⤵PID:3136
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"2⤵PID:1980
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"3⤵PID:4416
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)3⤵PID:2880
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"2⤵PID:3196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"3⤵
- Modifies file permissions
PID:4220 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)3⤵PID:4376
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"2⤵PID:2984
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"3⤵PID:4888
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)3⤵PID:1640
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"2⤵PID:2920
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"3⤵PID:4396
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)3⤵PID:4100
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"2⤵PID:4928
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)3⤵PID:1628
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"2⤵PID:3516
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"3⤵PID:764
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"2⤵PID:4920
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"3⤵PID:292
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)3⤵PID:4344
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"2⤵PID:344
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"3⤵PID:4000
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)3⤵PID:752
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe" /grant "everyone":(f)3⤵PID:1608
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"2⤵PID:4480
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"3⤵PID:2988
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)3⤵PID:3336
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵PID:2316
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"3⤵PID:2476
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵PID:3156
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"3⤵
- Possible privilege escalation attempt
PID:4964 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:4104 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵PID:2560
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"3⤵PID:4356
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)3⤵PID:3332
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵PID:2872
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"3⤵PID:4700
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)3⤵PID:3792
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:4704
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"3⤵PID:1944
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)3⤵PID:4300
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵PID:4992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"3⤵PID:4800
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)3⤵PID:4968
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵PID:3032
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"3⤵PID:2644
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)3⤵PID:2860
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵PID:3816
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"3⤵
- Modifies file permissions
PID:4184 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵PID:672
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"3⤵PID:4824
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)3⤵PID:2904
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵PID:3372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"3⤵PID:2976
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)3⤵PID:2640
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"2⤵PID:2892
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"3⤵PID:2016
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)3⤵PID:4284
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"3⤵PID:4248
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)3⤵PID:3664
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵PID:1248
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)3⤵PID:4892
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵PID:3144
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"3⤵PID:4860
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)3⤵PID:1908
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵PID:3772
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"3⤵PID:3092
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4872 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵PID:4196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"3⤵PID:772
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)3⤵PID:4904
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵PID:3724
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"3⤵
- Possible privilege escalation attempt
PID:2884 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /grant "everyone":(f)3⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:2032
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"3⤵PID:3484
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)3⤵PID:1516
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵PID:2828
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"3⤵PID:3684
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" /grant "everyone":(f)3⤵PID:3436
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵PID:5092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"3⤵
- Possible privilege escalation attempt
PID:4280 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵PID:1560
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"3⤵PID:2212
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /grant "everyone":(f)3⤵PID:3028
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵PID:4720
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"3⤵PID:1264
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"2⤵PID:4608
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"3⤵PID:3888
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /grant "everyone":(f)3⤵PID:3844
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵PID:2220
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"3⤵PID:4572
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /grant "everyone":(f)3⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵PID:2820
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"3⤵PID:2340
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)3⤵PID:1876
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"2⤵PID:900
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"3⤵PID:1376
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵PID:3472
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"3⤵PID:4664
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)3⤵PID:4648
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"2⤵PID:4680
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"3⤵
- Possible privilege escalation attempt
PID:2648 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe" /grant "everyone":(f)3⤵PID:4644
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"2⤵PID:4292
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe" /grant "everyone":(f)3⤵PID:2020
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵PID:3776
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"3⤵PID:4372
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)3⤵PID:3508
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"2⤵PID:4528
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"3⤵PID:4560
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4468 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵PID:2408
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"3⤵
- Possible privilege escalation attempt
PID:4568 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)3⤵PID:4312
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\NETFXRepair.exe"2⤵PID:3316
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\NETFXRepair.exe"3⤵PID:4812
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\NETFXRepair.exe" /grant "everyone":(f)3⤵PID:1504
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\msagent\AgentSvr.exe"2⤵PID:1472
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\msagent\AgentSvr.exe"3⤵PID:2704
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\msagent\AgentSvr.exe" /grant "everyone":(f)3⤵PID:1236
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\notepad.exe"2⤵PID:3112
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\notepad.exe"3⤵PID:2732
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\notepad.exe" /grant "everyone":(f)3⤵PID:3748
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\regedit.exe"2⤵PID:4080
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\regedit.exe"3⤵PID:2504
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\regedit.exe" /grant "everyone":(f)3⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\GC64\tzupd.exe"2⤵PID:2964
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\GC64\tzupd.exe"3⤵PID:3300
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\GC64\tzupd.exe" /grant "everyone":(f)3⤵PID:4084
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\TrustedInstaller.exe"2⤵PID:3416
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\TrustedInstaller.exe"3⤵PID:4848
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\TrustedInstaller.exe" /grant "everyone":(f)3⤵PID:4332
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Speech\Common\sapisvr.exe"2⤵PID:4780
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Speech\Common\sapisvr.exe"3⤵PID:5056
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Speech\Common\sapisvr.exe" /grant "everyone":(f)3⤵PID:1028
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\splwow64.exe"2⤵PID:1624
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\splwow64.exe"3⤵PID:2812
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\splwow64.exe" /grant "everyone":(f)3⤵PID:948
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\AdapterTroubleshooter.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\AdapterTroubleshooter.exe"3⤵PID:4428
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\AdapterTroubleshooter.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:556 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ARP.EXE"2⤵PID:2140
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\ARP.EXE"3⤵PID:3380
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\ARP.EXE" /grant "everyone":(f)3⤵PID:1712
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\at.exe"2⤵PID:2724
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\at.exe"3⤵PID:4056
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\at.exe" /grant "everyone":(f)3⤵PID:4360
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\AtBroker.exe"2⤵PID:1812
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\AtBroker.exe"3⤵PID:1312
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\AtBroker.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1544 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\attrib.exe"2⤵PID:1996
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\attrib.exe"3⤵PID:2936
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\attrib.exe" /grant "everyone":(f)3⤵PID:4012
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\auditpol.exe"2⤵PID:2396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\auditpol.exe"3⤵
- Modifies file permissions
PID:4040 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\auditpol.exe" /grant "everyone":(f)3⤵PID:1104
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autochk.exe"2⤵PID:2264
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\autochk.exe"3⤵PID:564
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\autochk.exe" /grant "everyone":(f)3⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autoconv.exe"2⤵PID:2096
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\autoconv.exe"3⤵
- Modifies file permissions
PID:2148 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\autoconv.exe" /grant "everyone":(f)3⤵PID:2012
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autofmt.exe"2⤵PID:1956
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\autofmt.exe"3⤵PID:2868
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\autofmt.exe" /grant "everyone":(f)3⤵PID:2816
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bitsadmin.exe"2⤵PID:2036
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\bitsadmin.exe"3⤵PID:1804
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\bitsadmin.exe" /grant "everyone":(f)3⤵PID:5096
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bootcfg.exe"2⤵PID:3640
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\bootcfg.exe"3⤵PID:676
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\bootcfg.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4924 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bthudtask.exe"2⤵PID:3628
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\bthudtask.exe"3⤵PID:4028
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\bthudtask.exe" /grant "everyone":(f)3⤵PID:2452
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cacls.exe"2⤵PID:1324
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cacls.exe"3⤵PID:4024
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cacls.exe" /grant "everyone":(f)3⤵PID:3200
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\calc.exe"2⤵PID:664
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\calc.exe"3⤵PID:3572
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\calc.exe" /grant "everyone":(f)3⤵PID:3308
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CertEnrollCtrl.exe"2⤵PID:2376
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\CertEnrollCtrl.exe"3⤵PID:2360
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\CertEnrollCtrl.exe" /grant "everyone":(f)3⤵PID:4624
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certreq.exe"2⤵PID:4948
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\certreq.exe"3⤵PID:4500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\certreq.exe" /grant "everyone":(f)3⤵PID:5052
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certutil.exe"2⤵PID:2088
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\certutil.exe"3⤵PID:2420
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\certutil.exe" /grant "everyone":(f)3⤵PID:4900
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\charmap.exe"2⤵PID:4212
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\charmap.exe"3⤵PID:4092
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\charmap.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkdsk.exe"2⤵PID:2512
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\chkdsk.exe"3⤵PID:4552
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\chkdsk.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4140 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkntfs.exe"2⤵PID:1852
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\chkntfs.exe"3⤵PID:3608
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\chkntfs.exe" /grant "everyone":(f)3⤵PID:2464
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\choice.exe"2⤵PID:4776
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\choice.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\choice.exe" /grant "everyone":(f)3⤵PID:2292
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cipher.exe"2⤵PID:3356
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cipher.exe"3⤵PID:4276
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cipher.exe" /grant "everyone":(f)3⤵PID:3136
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cleanmgr.exe"2⤵PID:1352
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cleanmgr.exe"3⤵PID:284
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cleanmgr.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4416 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cliconfg.exe"2⤵PID:2880
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cliconfg.exe"3⤵PID:1988
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cliconfg.exe" /grant "everyone":(f)3⤵PID:4220
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\clip.exe"2⤵PID:4376
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\clip.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\clip.exe" /grant "everyone":(f)3⤵PID:4884
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmd.exe"2⤵PID:4852
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cmd.exe"3⤵PID:5020
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cmd.exe" /grant "everyone":(f)3⤵PID:3708
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdkey.exe"2⤵PID:4916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cmdkey.exe"3⤵
- Possible privilege escalation attempt
PID:2400 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cmdkey.exe" /grant "everyone":(f)3⤵PID:3440
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdl32.exe"2⤵PID:3660
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cmdl32.exe"3⤵PID:2696
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cmdl32.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmmon32.exe"2⤵PID:2304
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cmmon32.exe"3⤵PID:3020
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cmmon32.exe" /grant "everyone":(f)3⤵PID:1564
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmstp.exe"2⤵PID:1108
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cmstp.exe"3⤵PID:888
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cmstp.exe" /grant "everyone":(f)3⤵PID:4584
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\colorcpl.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\colorcpl.exe"3⤵
- Possible privilege escalation attempt
PID:756 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\colorcpl.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:1792 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\com\comrepl.exe"2⤵PID:3784
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\com\comrepl.exe"3⤵
- Modifies file permissions
PID:4120 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\com\comrepl.exe" /grant "everyone":(f)3⤵PID:2988
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\com\MigRegDB.exe"2⤵PID:3336
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\com\MigRegDB.exe"3⤵PID:3376
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\com\MigRegDB.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:1668 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\comp.exe"2⤵PID:3848
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\comp.exe"3⤵PID:2328
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\comp.exe" /grant "everyone":(f)3⤵PID:4612
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\compact.exe"2⤵PID:3156
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\compact.exe"3⤵PID:3616
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\compact.exe" /grant "everyone":(f)3⤵PID:4576
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ComputerDefaults.exe"2⤵PID:2560
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\ComputerDefaults.exe"3⤵PID:4700
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\ComputerDefaults.exe" /grant "everyone":(f)3⤵PID:3792
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\control.exe"2⤵PID:2192
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\control.exe"3⤵
- Possible privilege escalation attempt
PID:2224 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\control.exe" /grant "everyone":(f)3⤵PID:3228
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\convert.exe"2⤵PID:3456
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\convert.exe"3⤵PID:992
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\convert.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4992 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\credwiz.exe"2⤵PID:1240
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\credwiz.exe"3⤵PID:2860
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\credwiz.exe" /grant "everyone":(f)3⤵PID:4260
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cscript.exe"2⤵PID:4200
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cscript.exe"3⤵PID:1976
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cscript.exe" /grant "everyone":(f)3⤵PID:3500
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ctfmon.exe"2⤵PID:4824
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\ctfmon.exe"3⤵PID:672
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\ctfmon.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttune.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cttune.exe"3⤵PID:3372
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cttune.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttunesvr.exe"2⤵PID:2016
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\cttunesvr.exe"3⤵PID:2892
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\cttunesvr.exe" /grant "everyone":(f)3⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dccw.exe"2⤵PID:3396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dccw.exe"3⤵PID:828
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dccw.exe" /grant "everyone":(f)3⤵PID:4244
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dcomcnfg.exe"2⤵PID:2496
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dcomcnfg.exe"3⤵PID:468
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dcomcnfg.exe" /grant "everyone":(f)3⤵PID:4860
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ddodiag.exe"2⤵PID:1908
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\ddodiag.exe"3⤵
- Possible privilege escalation attempt
PID:4936 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\ddodiag.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4896 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DevicePairingWizard.exe"2⤵PID:1524
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DevicePairingWizard.exe"3⤵PID:4124
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DevicePairingWizard.exe" /grant "everyone":(f)3⤵PID:3100
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DeviceProperties.exe"2⤵PID:4196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DeviceProperties.exe"3⤵PID:2884
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DeviceProperties.exe" /grant "everyone":(f)3⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dfrgui.exe"2⤵PID:3752
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dfrgui.exe"3⤵PID:2436
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dfrgui.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3876 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dialer.exe"3⤵PID:1948
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dialer.exe" /grant "everyone":(f)3⤵PID:2828
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diantz.exe"2⤵PID:4740
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\diantz.exe"3⤵PID:2536
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\diantz.exe" /grant "everyone":(f)3⤵PID:3580
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskpart.exe"2⤵PID:2352
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\diskpart.exe"3⤵
- Modifies file permissions
PID:5008 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\diskpart.exe" /grant "everyone":(f)3⤵PID:2736
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskperf.exe"2⤵PID:1264
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\diskperf.exe"3⤵
- Possible privilege escalation attempt
PID:4720 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\diskperf.exe" /grant "everyone":(f)3⤵PID:3404
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskraid.exe"2⤵PID:1180
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\diskraid.exe"3⤵PID:3648
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\diskraid.exe" /grant "everyone":(f)3⤵PID:3068
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism\DismHost.exe"2⤵PID:4944
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\Dism\DismHost.exe"3⤵
- Modifies file permissions
PID:4660 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\Dism\DismHost.exe" /grant "everyone":(f)3⤵PID:2340
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism.exe"2⤵PID:1876
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\Dism.exe"3⤵PID:4052
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\Dism.exe" /grant "everyone":(f)3⤵PID:2104
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DisplaySwitch.exe"2⤵PID:1200
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DisplaySwitch.exe"3⤵PID:4688
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DisplaySwitch.exe" /grant "everyone":(f)3⤵PID:2912
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhost.exe"2⤵PID:3472
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dllhost.exe"3⤵
- Modifies file permissions
PID:2648 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dllhost.exe" /grant "everyone":(f)3⤵PID:4644
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhst3g.exe"2⤵PID:1552
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dllhst3g.exe"3⤵PID:3344
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dllhst3g.exe" /grant "everyone":(f)3⤵PID:348
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dnscacheugc.exe"2⤵PID:276
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dnscacheugc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dnscacheugc.exe" /grant "everyone":(f)3⤵PID:3776
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\doskey.exe"2⤵PID:3552
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\doskey.exe"3⤵PID:4468
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\doskey.exe" /grant "everyone":(f)3⤵PID:4132
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpapimig.exe"2⤵PID:4484
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dpapimig.exe"3⤵PID:4192
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dpapimig.exe" /grant "everyone":(f)3⤵PID:2408
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DpiScaling.exe"2⤵PID:4812
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DpiScaling.exe"3⤵PID:3316
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DpiScaling.exe" /grant "everyone":(f)3⤵PID:1692
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dplaysvr.exe"2⤵PID:2740
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dplaysvr.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dplaysvr.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:3512 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpnsvr.exe"2⤵PID:4268
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\dpnsvr.exe"3⤵PID:2664
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\dpnsvr.exe" /grant "everyone":(f)3⤵PID:1148
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\driverquery.exe"2⤵PID:3736
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\driverquery.exe"3⤵PID:2180
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\driverquery.exe" /grant "everyone":(f)3⤵PID:4408
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe"2⤵PID:4592
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe"3⤵PID:1920
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe" /grant "everyone":(f)3⤵PID:2824
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe"2⤵PID:4452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe"3⤵PID:3132
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:1480 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe"2⤵PID:5056
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe"3⤵
- Modifies file permissions
PID:4780 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe" /grant "everyone":(f)3⤵PID:532
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe"2⤵PID:2812
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe"3⤵PID:1624
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe" /grant "everyone":(f)3⤵PID:4620
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe"2⤵PID:4428
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe"3⤵PID:2112
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe" /grant "everyone":(f)3⤵PID:1672
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe"2⤵PID:3380
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe"3⤵PID:4752
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe" /grant "everyone":(f)3⤵PID:1776
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:2524
-
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"1⤵
- Executes dropped EXE
PID:1376
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:4692
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1129964966189833787144038674126514774619881172251621712906-433896764-1757282414"1⤵PID:4480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1781932378-1766328095-532771661-10708243636610611391606137928-648178787-912705441"1⤵PID:2644
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1133427642-673777740397756849-17882039517769876371295412466965003397-177872429"1⤵PID:3664
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "256710130-1705162402-2951070633061003451863202341-1398341669-1707678573-1966991597"1⤵PID:3144
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "260761619-1357678329-4016496183635818411500310561-1852795486-996265461834913524"1⤵PID:4280
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1929571302-8116319221185742595960466495-20083367211976054103-1329848024-124215138"1⤵PID:3844
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "517170059638385239-2102462785-728983640-2413061241320130617-1225651140606568306"1⤵PID:2820
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "193192629227661306-92496568419594957141958258861385175989-1844141876-401080173"1⤵PID:4560
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-59727792617255525651801297489-16985016352036510586-1447823601-452860981-1947197612"1⤵PID:1236
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1920396353890976458-1062280222-5949874892078014483-1072173438653809126-1745036594"1⤵PID:3748
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "469487295594041979-267390071-21160013081708137941758986125-563356732-328941176"1⤵PID:2780
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1279795146-550034502586952945442256614291757257-3793915198873548741907868723"1⤵PID:4084
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-497418409208167589921701655-19342664-1924003363-13864562242088457022318578101"1⤵PID:4332
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1AppInit DLLs
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1AppInit DLLs
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Modify Registry
4Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544B
MD59f16199c3e0f1c065a0ce180889335e4
SHA12db44798e333031fbac4dea9307d8e6b8462b351
SHA2564ee0225f766890328be779cb34788a6b6b6409a962406d95b6421f2170ace84d
SHA51298783019bd006da86d5df012a582504b2c1db7ceaeefa3046bcecff0cd5d14a0a7151a945b98696eee873de9c9bb7f31927023c34d594badcce6fb258a7f08ef
-
Filesize
544B
MD5761534380f278aa2efc85036acba9247
SHA189e0a82ae5b12b954a0aa6d268a46a7d964adb78
SHA256b17d5c887a7f93d48d836291d66c5a5a30581ddc03e405c176b7c03a24c4fb84
SHA51297eff78d1e42fc9f5e1ee3ead8f5ed5460be99cb8f2ede624b638e2b0281371176df90efac90a3982139708d2ea0f517eb2c53346931a3ba858292e8d2dc8044
-
Filesize
336KB
MD53d225d8435666c14addf17c14806c355
SHA1262a951a98dd9429558ed35f423babe1a6cce094
SHA2562c8f92dc16cbf13542ddd3bf0a947cf84b00fed83a7124b830ddefa92f939877
SHA512391df24c6427b4011e7d61b644953810e392525743914413c2e8cf5fce4a593a831cfab489fbb9517b6c0e7ef0483efb8aeaad0a18543f0da49fa3125ec971e1
-
Filesize
152KB
MD566551c972574f86087032467aa6febb4
SHA15ad1fe1587a0c31bb74af20d09a1c7d3193ec3c9
SHA2569028075603c66ca2e906ecac3275e289d8857411a288c992e8eef793ed71a75b
SHA51235c1f500e69cdd12ec6a3c5daef737a3b57b48a44df6c120a0504d340e0f721d34121595ed396dc466a8f9952a51395912d9e141ad013000f5acb138b2d41089
-
Filesize
50KB
MD5e8f52918072e96bb5f4c573dbb76d74f
SHA1ba0a89ed469de5e36bd4576591ee94db2c7f8909
SHA256473a890da22defb3fbd643246b3fa0d6d34939ac469cd4f48054ee2a0bc33d82
SHA512d57dd0a9686696487d268ef2be2ec2d3b97baedf797a63676da5a8a4165cda89540ec2d3b9e595397cbf53e69dcce76f7249f5eeff041947146ca7bf4099819f
-
Filesize
45KB
MD5108fd5475c19f16c28068f67fc80f305
SHA14e1980ba338133a6fadd5fda4ffe6d4e8a039033
SHA25603f269cd40809d7ec94f5fa4fff1033a624e849179962693cdc2c37d7904233b
SHA51298c8743b5af89ec0072b70de8a0babfb5aff19bafa780d6ce99c83721b65a80ec310a4fe9db29a4bb50c2454c34de62c029a83b70d0a9df9b180159ea6cad83a
-
Filesize
112KB
MD57bec181a21753498b6bd001c42a42722
SHA13249f233657dc66632c0539c47895bfcee5770cc
SHA25673da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31
SHA512d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc
-
Filesize
140B
MD5a8ed45f8bfdc5303b7b52ae2cce03a14
SHA1fb9bee69ef99797ac15ba4d8a57988754f2c0c6b
SHA256375ecd89ee18d7f318cf73b34a4e15b9eb16bc9d825c165e103db392f4b2a68b
SHA51237917594f22d2a27b3541a666933c115813e9b34088eaeb3d74f77da79864f7d140094dfac5863778acf12f87ccda7f7255b7975066230911966b52986da2d5c
-
Filesize
160B
MD54fc1deb8f4846d001bfdaad8f9f457dd
SHA10bcd73e26380e9fd2e0bd6d798abdf871094c9c7
SHA2569bb25c5466cfb526a83ec1ffa0730d2cfe050838cd7a6c8df30f07b316dfeb82
SHA5128102774f87c48d8156c61d938bf44a7b93640e9af1f798f6654a5b77e65a05cc4f0b3165abf45fc490ea76528692c8af2a14cbee0f8bb51d7bd1e4bb3db4f3ed
-
Filesize
76KB
MD532ff40a65ab92beb59102b5eaa083907
SHA1af2824feb55fb10ec14ebd604809a0d424d49442
SHA25607e91d8ed149d5cd6d48403268a773c664367bce707a99e51220e477fddeeb42
SHA5122cfc5c6cb4677ff61ec3b6e4ef8b8b7f1775cbe53b245d321c25cfec363b5b4975a53e26ef438e07a4a5b08ad1dde1387970d57d1837e653d03aef19a17d2b43
-
Filesize
279B
MD54877f2ce2833f1356ae3b534fce1b5e3
SHA17365c9ef5997324b73b1ff0ea67375a328a9646a
SHA2568ae1ed38bc650db8b14291e1b7298ee7580b31e15f8a6a84f78f048a542742ff
SHA512dd43ede5c3f95543bcc8086ec8209a27aadf1b61543c8ee1bb3eab9bc35b92c464e4132b228b12b244fb9625a45f5d4689a45761c4c5263aa919564664860c5e
-
Filesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
Filesize
320KB
MD597ffaf46f04982c4bdb8464397ba2a23
SHA1f32e89d9651fd6e3af4844fd7616a7f263dc5510
SHA2565db33895923b7af9769ca08470d0462ed78eec432a4022ff0acc24fa2d4666e1
SHA5128c43872396f5dceb4ba153622665e21a9b52a087987eab523b1041031e294687012d7bf88a3da7998172010eae5f4cc577099980ecd6b75751e35cfc549de002
-
Filesize
65KB
MD5578bebe744818e3a66c506610b99d6c3
SHA1af2bc75a6037a4581979d89431bd3f7c0f0f1b1f
SHA256465839938f2baec7d66dbc3f2352f6032825618a18c9c0f9333d13af6af39f71
SHA512d24fcd2f3e618380cf25b2fd905f4e04c8152ee41aeee58d21abfc4af2c6a5d122f12b99ef325e1e82b2871e4e8f50715cc1fc2efcf6c4f32a3436c32727cd36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5c7771b08e59c4067c08a873b17b9c284
SHA1faacae2bc22fcd8444539d0ce95d9971372531b8
SHA256baf2bd309df4c4f79bb6bca3e557e37f985d758f96c275d34f526ea01ca3f243
SHA5125fd68ec6824db331d62a5f63dfde9c8dbbdb5a6619b84cc709c479006e3058a8adc4e43eec0cf5c30d9581d9cd5c21f5818c322a8545f3a17e578f7379a97976
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5518ec3d48c0b24f6984d6f0a60d92731
SHA11688d1295dfcf792b72673d9ad2c322a68637af4
SHA25650c605efc963b2a36d33e10f1bf03931a3624b29c8fdab51234e2eccc0331c94
SHA5127f556df6dbffbad293e13b380f81c3aea17c537fef3baaacf66a3133dac21d368c3402bc4ab757ca7bb9d9d7b25e96f2644546c8929f0a885534a0c09d1ebd13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD54ee2f853ea5febc9655f7f9ca9869bbb
SHA129e8f8800cb064302046ab6830fa3306ffb2591b
SHA256c39eb84e508f9b2ecb0d4102b33cdc53b5dc1f0ebd95aea1076589202f076762
SHA5121417d451ae3adb89ecac845fd05b914d1859ee98c567a6b9f0aaf21312ec307d4281a1731766a20552a4f77f212c2aaf6f111409149858a260c33f8edbc408e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5605e6da4be6fffbe476dbd08dc0cfc80
SHA102aa5a9e432781b5280e3f26236a946e7936c46f
SHA256137f395e3414dee8ddc8251f6cb460145fc304359c69a723040060d7562301f4
SHA5121b670707e87d884bff6ae09421acd269546bb41c6a22565be9ae0f16aa97f737bd6877e3522f2a4df0836aac5c115228111343d2c388dd9bacaa77cff8580190
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5db8b2aebaa233faed26fc555060a9f00
SHA101ddbe20ea99f2db204e177afdf8462c48602569
SHA256b0fd7b24869f77f89aeb1a1570fc4f1c67c47fd5cc4de9edb66130361aa38533
SHA512c16c750e3d5ebc2b04dbc635de4f69f918ea9c9304b410bd4276df03911cb81c43bd077e761d30934558de3eebc7128c265a465af7d03e84b55d2839dafce88e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5f11437417c77931daf83547a305524a5
SHA1a0af4a62f95acc6695b1af70d3ca10dfb6319742
SHA256da4eabe3ec3cae4dfea9ea6727301321be99ad2ad55657135bfe1c8329392436
SHA512696311e86686a6b4ab03eb991cfcd2553e39040ad7e8bc9d6cb56cb099576f71b06327038f80fb282bb08b145d45180f9888e616606fcff5fd5a1642c7b9c63a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD530cba3226d6b11222cbf3887e227cc11
SHA1b697e1ff2ffdeca1368aa94d073cba54d6e2be24
SHA256f7cc8a38affc3895546a472f529df55e5160c3ac98820febf0b276feed2d3c50
SHA51216ad5f8e199c04f9b57f13368eb7c421f6c6610e6eab1dd20310b8ad4ac22de920387864e7c5e438cf7a8d6138de472b4ae015bfc1ad29103acec10702fc4cf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD54372920dae55d1a9779c1679b5bba271
SHA1d3532d27d60d090f460513ebf380b01f662bf83a
SHA256e122451888ddfaea7e028fe8301dbc9e0c78dd3ee37234cd87e7d657d9c9fa63
SHA5120dff1e53d4d2dc746419debb489948ceb42146eb1757e68f86720b801b78047db292a486a8288a81b010d33a825fc3d8beb989164a528ab2d6f592c0435754f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5379da68e50053e54f9a11e2d700dd2d0
SHA17328a0323de8caa5c1bf7c584df5a2c437855f81
SHA25632f14448d7c1691a5552923e6d05030b32575cc53db92a7607b14f61bca57615
SHA512dcb88d51d0f0405803cba98e00d02f209c6a92fbe2874a8d9d0f7007608380d0ba92bb2392e047f6f6f673b79075c1d886b92895fa55685a157a839f4f48b2ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD582a942ca24581e12ff97b43f9b712e25
SHA1f4044c0a646fd9ef1e87ba8b60552835c2556770
SHA256d7ca0f05e6dd95e52f9409b91d6203bdc834ec77919e15f9f9dd341a7ab411bc
SHA51226a4e3e44d7ef17a045fc675fad68e57f9f949f1908f30df4c59b53a9f443bbb3c399fffee41ed90c953eb1694deec24b5f674584879afe61bf2a2471acfff10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5eb8f3acd0994b96ecac8c6ab078b331a
SHA13dc2c3555706eac2f58b7776dc7ddb9885e79ab0
SHA256af19bf72c2ed7a3615e2b5c8d3634bce9bcd45f3a88fac5bd87a28cb51d97fa1
SHA51299c2ca732f1f9ccb242bf33f9fc01ed35369c77b4a5676cc575d8e0e6d7f1f68346e789b8db5809e4954fca9fc2174402c9b810ac0015bfb5546f148dbe07f97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD597c876fd607b944447655e6c197293b2
SHA1d158b7becf7e22fd803eda437a395e5f4d4f9a75
SHA256a231153b546012e36a516e247c409609183b81ae9faf156a75093ab2f88b056c
SHA51216e7680ebf278c382ba48ebcaf104363bd50d77960950855f52a1600cd1ebf052188ef55f173a995089f0f1baf5f13663c1b0eeecd1b25c26be8ac22adc8f934
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD521d0c9b5834cfda2f968baeb2f286706
SHA1deca7a16a3cfb787e4a2403b6ed7c871ee92aeaa
SHA25664d59be758848e54bb2d9be2f41d90cd00657ef3875d2a3c96605a020c6eda10
SHA5129363057497029bfdb3b142ab75806284f2e610835bc3abdbaf317875e17350150f7d3ce7ca7008946880ef2781263cc00e55ff6cb0daa1106ebcdbc25082e509
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD56bc90611c853135a41b027ba665ab85d
SHA18047eb2b84cfc6f0f85fa527672bae1f56ca6592
SHA2560a5f73d673cf9d82872571075a40088831d8cd88dc0ceff3e6cf21716acac2eb
SHA512181abdfaa4e8e444de7095ea3bc2ef4e959a3cfd1d2f59df2c6f6df679c9c2711d6021d6427935685cc7de428cca5d34bd61f72a24fe84e7e7707f3f1aeec317
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD52006af412da9058cc09bee1d85dd0df1
SHA10539043f3bd9e4cbb46f981cd093043cd0da7d75
SHA25681ba5f031024f65ba689c1ad46426bf67d2e6239a1ec3c7141304960f6b8cc1f
SHA512f592f52aec62539b149881e340a2d2dbb5ae81ec636f451ef8a1138458d67e090daa7b5817083dfb82d707b86a25becfec58436064de082b66ea477f3f1a6643
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD57333bbfcbb6b1bf2ae59fb8a2d310819
SHA14d09e2db083aa56a7a36927f3dbc429f8792b2b1
SHA2562c8521cbf39f52824f0fb4bf83e6dd0550d6097834d30b3e8410cc78b21272c2
SHA5126bd34d11082a1aff57c5e8ab2645d1f6ca72d9727f731614da24b9df1d8dbd6d625aa9e9b707082275b2e518773968fc6558282d813543cb2276668052ae159b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5714f522b9a4ebe274c8c888b48c3d67f
SHA1c063d05c53e1a3f7f680f51f275bde24ed11d1c3
SHA256d1a25250bb8282c7a0b0de16beef58f61c45158a1be1c2d5635088a4f5b9994f
SHA51267c0e359b2a591dd04d5d6dd0ae942ea0ca9016173678076c776445cdbdd550ac66190d383e44b7ec579be177669128882467a9b3d4670abc33417210b4b6b85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD59d82fef162c56cdf7c655a5d651e1af0
SHA1bd626aaefba6b8bedf81bcc0c6c9830a32bdf29f
SHA256cad6c2339f19dcbb64da7d108b90d8b617a63c8c4f38b2fe2d21919635c2d4f8
SHA512a84205962c826e6c9952314dabc6db4bcd88bb5a68363f629535af099f30e65d50e4305d7061c389ad8845d3cf15252063bcc33cb4cf56e84b5695d2f68aee01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD58c730a59693c91a7911514bef8cbeba0
SHA1e8ff2d48ce115a430d3b4624a48349a08dbca9d7
SHA25644a7d15d2b933eaa4e35b04f1fd5bcc15137879b698c061b8af100b9f9ed9da1
SHA5128ad85a59f26b3f671c11b186bdf0be19b1a477c1e0f7d914ea95df317307251c60d0fb12e73b0ea7f4ab21e7a3e85faa7708acea4b5954956380d987ae0d1aa1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d4b1697287ee9819602bec59ae546025
SHA1422c11ec73f7885f556cc3939e780a5caba34b57
SHA2564eef3967080c628ee93cdd9f8c56da2b7e1179957c45ea92cabef88a18443ab1
SHA5124af8932733101a6c55e8dd09c0c2f15f0a8cf2d46925184d86ef05850af8a394a942c103fc212c365b44bb3038fad4502e2592d105491d09d17ca52d3466fd8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD53d799e57cca6e9bce0bcfc9ba8d05c09
SHA113a9c7040752bd52a0823de8014ef61712beae7c
SHA256ea4efbaee20d490e495b2a3b895802481f700aaa4deb88e869d9d3166023ae02
SHA51240269f3736269039af7bf245c8c6548f421d5eba2cfbb31a916ab62a07619ac706177b40d6167325f2004994f248a5aedf175eeec07c14ef5c6e585f546afcaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD512ca6f57043b6715db09423452319b28
SHA1cc6423e5759ee6e8e1a2dd38ee74f502a2781160
SHA25692805b8e898aaae39b1463bf2f75a496e42554ac6b1a9c61881d8f7bbe99c5a0
SHA512a7f54d84b72ff367c10f1ddb70eb0d527d82e57eba7c2f60935a13ea03c33a5a08e1646989e3a967b79e0435c630e2cc859b8142e7e50827a009c5a6999b7ca1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD574fba4d17fb61885d04c6723218c88ac
SHA1a05ab5e88aeee1a41fa75183271b6ea64aacf0fe
SHA256c666b0b52a13fa64fafdbd86cfbef3d1590cc9fc667b58107ce742fed548b152
SHA512c90546b1dc5d1572cbc2c3ed95b3c9b626305d67d6ca6a6c4efcae46c18e7cc9f71b2c6c4b06c8ec2c01946bb9aa47883dbd7c2f88eb3821c3afd0555c8cb632
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d1c7e5fb84c33a1b7ba1704fd438f3aa
SHA11891f74ad81053a29bc3702c148ce397a0352af0
SHA2567cff46615f56731ebb975cf031388a73e3c186327561b1c4536417f9b5117194
SHA5126472cf8e997b5829204f49638e32d3153bf4150bece12b6a0a6fc70f2642c2a1d326e6df58e95036c69c18de7c274b9b7a2c96f92fbe1d8fdf6f9ea6ec4d053c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5a133ec4edf2343739c7e49102d914552
SHA1463a37981d9b2f3da54d8612c8047b601fde37c5
SHA2561cd92e392f19c4ba116715bd1183effa8e5d235047990ac9a5f9776073facc4f
SHA5123e23274766ded1433de5ffea116a41840bfb8c222dc5309ff3b1731115bcf940237e8afa20226191f9b8c5b7e8780fe6db77db339e5cb35ca026b8206c76c7ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD50af4d8e312e4bc427d2f20dbf25611d3
SHA1f618f28f7d95e107205e703854674bcaf07f52e0
SHA2567438ff0ebf967e41458ab62fd045068ca286dcbc96714886e059e76fa28d9095
SHA512c0dc04437d3d3b57728e9ab59a70387c4f03a5bc147cb1b995eeb620a38d2a06f1e6494591638caaa55fa220853616152a53e3dda095d6a5c1dd9d79cc199e8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5f8fdcd80604501ae1e036ae7e08dee16
SHA1e4a506608a6340bb860181ab281f31366c329173
SHA25664b25283594083aa6b9a8ec336bd14530c41d1f80752b5e13aaae6201945d624
SHA5125be5be39d000da8b59d2186ab1df8ec27c8925a0a0c4fd6312c4afcdf6bef2d3a97d346339368833238924cd4eb66284b5901eba2307964a5b5bafce464401b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5a07b1f22a35147fd038833d687a2ff76
SHA1896da621e16ae773c7099ba3079cbca994026a94
SHA256d5860c9e02b931c6665485e3708f4de7ced0f9e0649f6281a8df354a8869369e
SHA5129490d723f4d9e4c9e41a712ea73efe119148742385a212df1ec70fbd448dbbfb62a56cf4cf7fb51bb2123884663a3c9f1f4496e64dcc484a4927fb0971a49ea4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD54ad9a8b0bdcd1d69a6c13b97543ae9fb
SHA1ec66872a924ccfd1be391d44959bb9f03c563533
SHA256670628ee442a532421bb86c1a46b42485fed2cf1e5d1e7123a78470a5ae994fb
SHA51290b51852cd87005eab1d01c8ba8b83bf668334d0feca65fda65fc080f90fe797f9ec1331b098650eeb139131fa89db90ea42d88bc093214b412c249237a804bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD571f2c408d77eac7a535b456619c8bd9e
SHA148bc7c8d09d40c19f6157a71fcd61f0c18ecea67
SHA256bc31f31846a1a9e17a7dfd4e66ffc1aeb6a2453d3691963479f1bbaf5e486a36
SHA5128b3f9888b77df1aaf146733fe485c7b27f16b05b4bdc5f07c708e39124486dd7a54384dbcf41c36e93b9b159964ccea3702b16031803d52303a434add66f3eb9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD57e516bcabf08f49e7728d66847f63a4c
SHA182b161d5237e687ced60ca1f119a1f0451aa2f80
SHA2560162802d6f5b35de79e9445ea5e065f441ceaa1c2fcf72a0943f91197ba622b3
SHA5129e647a053470d8942826545854d03e9805c9e0955cc7638ce0febb17009df32ee60a389c6b768723903050d61f611f1b7b220363f035954ac0963afa48206308
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5c724d9169dc2fdb1571d1355fccf5b1d
SHA16a28313e9268ff2b1fce35f7306fc4ad725cf89a
SHA256742ea486ccebd2fea535831afbd4a43e4cbf163164cd5e5766ac2489f6788a24
SHA5120a232fa7f0132af760be3595d5d4ed151f70c5a8a06209b3b2230773a07b7b2d785648b5b4e6eb80c141c63e35f4a5316a89510c2a00676cbe808780dbedcb4f
-
Filesize
3KB
MD53ce46b84405e22baa93cdd41643e3e44
SHA181ce34bd756ee7e67af471f18a251da82c816de3
SHA256a0057568de7513f5095c53580a7d9cff0dd936c1f18654cc243f21e5ba1fd08e
SHA512d336ccdb72129de9f251d7347294388a355c384d7e4ec8bd8339e5465e85e8d554c661d8c237478349300bb75624d50a33767578afb1ced3604c0fb74ef1d727
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5a8e369b13565da0186b455c7947df980
SHA1bcc77d2d7b9e910383b4c86daf0ba7577e5645c5
SHA256d2d1cdd3be76e0894474ada95ff8bcd8e66354259eddccbef33a9e7a6d7f0f16
SHA512d7acf4569719111a937d7a201488d596c8d91d2ea4a1e2c28de9b061da286d5f792bf277fbd169d8cb99d6c593c948d19efcdde6352d563e15eb9853122e2579
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
310KB
MD5e533ef37860cc86715ee239fd7ebbd14
SHA1201a823ab35f2acbd4310465134bf70af27e52c4
SHA256c91bd0218b388bd29684b8f9f2757297415797c7c2376967d660a61e316c7ec1
SHA51275add577c3c06df2a007e1a1c5ef3120b2c9a1aea5d10dd948eadf8452f8891eca493803620d01c165405221542fe84bc0edda8ebe354b5f84ad04c839933baf
-
Filesize
310KB
MD5677275bda4b20f3f5186396025691a0d
SHA1ed4dc4f13067f6b22fd4a751c9d170d4ef4c0ac4
SHA2560ed9a93049c890bd945e9682c35e6194ca1b86090090e2a60552d2331202a389
SHA512dab8741b8d23f69fd30da7c56b35a36b13da487f6e9907bfaea495b1cac2331b00764efef118c23a1e19af47250af24ba02f5cea46a00096950f33a3f04de995
-
Filesize
1KB
MD5075ed61ad7472a41fd0959e6339b71a7
SHA1ac4e734a94974bc3030e28cbc8ecfddcda9480d0
SHA25673c817ab79f1766619bb6ae9d0bb7ca157feb815141845923fc8393ffd2d0350
SHA5123b9d192b4e1da9c504d63587c1cb547aa5089b04602967cff02c0f97e5cd151cbc0bad49cd1222588b3401f87ac65f4da1a300798b41f6e48aba8bc0bebe0907
-
Filesize
1KB
MD5a6e6612df909f96f46b14bac4d1b8664
SHA148fba2f5e1150c3f397acccd3278068f50eed6f1
SHA256b7c495c03c30005ac0b33812789fbc8a614ed2eb54b3b8e82d37aa7ff0095f02
SHA51211565a758019259b8ac720a6ee341d6799d17b8c8f0947dda2f9d275a38c766508344a5f2074b4b05087a0ce1293360cdf9d25a2697989539de74cc05e3206c8
-
Filesize
1KB
MD5191e349e16e030b4c66ee6322df469a0
SHA1c46fd1a1ab5739938bda014042cd53aeff044581
SHA25695418de670a6330414a753a441fe62e8e916b8317f9597ce56901bf48526dea9
SHA5123cf8424d3420500007f48785a0f8db019add3871d4758daf2e87730c7dd9f2b7cd014f5b4a51cd6a654ec355a327da274fbe0af4970e094ba7427d6cb5b60241
-
Filesize
1KB
MD5aaa925d637359951e611da824cc6642c
SHA10f114b1da3e265b51bcb4ecee62914c041abd691
SHA256667cf0332db8aec49c2f0143a36e7240b35ecca8600c4fc73be4e5249ea82f0b
SHA5120ff96d3eb584fa4b7369274070f6cc9d9efc7b0f983718a8a2e822136bae81472d6a523768cdd6ef98368c0c2f2fb0e90165e83cb4c5e69115a793f922bdab5a
-
Filesize
830B
MD51d01f30f72c9df9d9a21e5a22009335b
SHA1a05f0a282cfd0a9e0cfe44cd39a51aaaf0797572
SHA256d65731a648fea6bd44c632befcee7b08b3753eaf37f7f1ad0c2dea44db11215d
SHA51271f664247eaed58c77fc6fd997bb7419c2221e5bb7c3ef5525362334b6293e6d6caa86a31fea87e4b18f21e8bc029c68dfaaacdbccaf6e68634b893bbd630c5c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\activity-stream.discovery_stream.json.tmp
Filesize28KB
MD5d2c6eae46281a10a5d8d3bdd0120c64c
SHA10be55041a2f217ce5c4909998606e5c2f337d658
SHA2567c9eeed7075960f828a446697684c25efe27a705d55dc9c98013be28ad3cb038
SHA5127d87e43e4122f5600757f7a72ac7d6fa42829f62f7da9077a4b171df75527487b6771b57248355cf23da5a1e68773b96b5f3f9a6bca5f10c14d64d587948fafe
-
Filesize
15KB
MD5aa2e68ac9daff17bf8b2c913ca6743b8
SHA1b3b3d9aaff25ade0ecaab413f21d8420b5a953e9
SHA25697aa9a0fdacb60078cdfce5657d478fa36fc9e25caf8e18b09bfeb06727b6d8a
SHA5126a72cd3ed919a906540135f3acaa0d5d1a1567ab405f0a5449ce12e58208297cc22f942259c75faa35ecbc39f2ead1f6b951274ede66299478ced898751efa2d
-
Filesize
8KB
MD504e820e9a8d8c50eac7c61f0f8825b46
SHA19d1b8d281257851c6fe072e65b4b964bedd240f6
SHA256f18f7d62f4f67362495095af3661f53c54d1d89426b1b2b482eac71716ada4af
SHA5123340e35a8e0f33bf18e7fd5d3df60acf1e8c4cb55990d6807aadefd6be987eadedc0dbe5c9e992086406cca481794f131acaf77c0d5ab8638d86d98f3ae97051
-
Filesize
15KB
MD54abfa893f63a09847e2450b31acb3d0d
SHA18cfa65089e4bd7253fd6a759858e70554ee53c46
SHA256539bab79b7e34e313eb060c1a1cb008d87975027b2a4f22bf095488a2d400a54
SHA512a1ff2055b62e9e1b1e32c79b2d5ca15613d147f90e92bd4132c6007c1773ce41eeb2781ef1e1db2d3f703edf1ae7e163aa525f5ad8737e18cb7f514c3a6ac0a3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\01ABD05F24B7C929E9BBF7B620E2289C4EE00CD6
Filesize36KB
MD50f06bc83dedba1ca58a6c906464bc99a
SHA180ab714d250a44071973a3e12b8df1199793731e
SHA256ea5c1564b02731e30c16a01a44fec7a8d672e7ac2cfaa5e3a4730ca96af9b7d3
SHA512327e3183a238e6e07312da3d508fc0347b15016dc94352dfaacc489283dd388bb924ef0d63df0a0fd42f805629671ab37f084371d19002f9bc930ec2cb550e0b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\1243152E7867EAA24697321508C34F9CEF98EF1A
Filesize60KB
MD57785eecf50a49e03619a5e37ec738f3e
SHA1343cf42727989cce79b2304ae6ba34295ef25cbc
SHA2563190f5ad1a6811c2250cd79d09d123bb1d6e5de8cb6d173aa93d88832f1d9c98
SHA512e8c81371e170c3ae415f55624f5b4ae2ea3b5312b2c93d6eeec89ad981bb664db10a5663cd539a651638ef573c5aa21cdf7ecc74fd50ec85f6cba4e57ae89ed4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\1A46D3B03B4914D068209FF81CDD6A6313AE1758
Filesize79KB
MD54995ad9bb0b0ce5f2947b0d0820238a0
SHA1e75313b539c522df5e15e4ca39d922e257b48489
SHA256918b706c52d7999bb1a2407b40b541c270a0f8e5901e4e22935ba75744cc2b98
SHA5124ee4bcfaba06fbae60aec2c695e5455bf22355c5e835e17dc9cd52fc363c9757e243025a1aa2e6df9373b945b8ad35ad3ec65b7fbcdb5d6235cd2927c22dbb8a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\3804D14882C6E522E96092EB023F05E390BBD516
Filesize219KB
MD53bdd48a6339cb5859336b795dd560bf2
SHA1073d8dd9ab4e7cfff367e3f0fd6912c9bd2a61ac
SHA256f7a439f2a9879c5613c7486c1af4566c8f05b1dd06f0cf2e12b51a711d9771b3
SHA512fbf6cbe236b4cc0c58b049beb7b8dfc5ea24f3cabd5068de478397b7898eac87116429c7a50c9e0b6e30c9ba8fff0e0dd067c7820ecae28e88f90ee9e2ce6a15
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\45C13727B6DB444F70F2FAA20129C63BE433735D
Filesize35KB
MD57f530673d01acd0c354f8aa9dfd68e53
SHA10a9b9feb798ba6cc8f41ba2c6b02d8f8689377e8
SHA25616300fcfac04bfee6c71abf8ea72d45d10dd07556fe151d03eefb75383e108d2
SHA5129531bc45609f6763d8f8445bc2b92bf89ccea594e0d5f6c75c7ac57c394fed17837814fcd0fb004ccc2d42f6de27152637909d5fa7eb14dce36cbf711c6da0a3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\568BE820794A6DCFB0DF6FE5FC8802CF3774C4F6
Filesize300KB
MD5742cfc2ea6ec1435736285f1feaec632
SHA1efb3f599f367acf15b0124b9575047c86dc49512
SHA256d0c426baf278cc8ee294cd593a555312612b10d6a0fbf6e69a09c64f0a1981c4
SHA51231a2e147bad570549b16075f82ee11a2d8db5f90d4ab982b2215f3db742be30c9ab9e6a4cb37580a9be3e8cc8de9e46f901c4eacb416967e7b6912d1eaf0eeff
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\579A732083CBF00043C4E457834015FF9E177B8D
Filesize17KB
MD5599e935668d26c33372dd56049ab71b2
SHA163b71319380c0fab4b547f2b8d7f078456ce4207
SHA256bcbf912d693650634c6cb0e59bc925767c5f75bb8c1ea96e7e2a9b902adddd5e
SHA51256b06fa5bd5d71decb7745147c2a1e203949450b07034180111ab945ac1423461f2a5b16681ef0943bd1626f26dd146168ceb19703b17d636192365e75ccbaac
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\635173200124313B1FF34FAE0FFBC6198EB7019D
Filesize60KB
MD503504f431f502e44811706ad9557d7a8
SHA1b1ace476de0bb742f9898725437db583e840d448
SHA25698327a734a9e1bb65ef645a0f738676ce23b8d12cb8150ac7dbc0ebafd887670
SHA512d86ed99bf0bd0ddecb7779a1e42ad0f1219cd0e62eacb2e5633d652b91ed10354b4da07ff7d8b133a0569c7f02547479b6fb85b815333f29e0cde3a9355065e9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\779FFE4C3579D1E62C970F535C0DA0314A369D0A
Filesize25KB
MD534f0aaa213fad095caccdbf0fc5565e7
SHA19af6ad5fe5f913b79f30681e00fe5719731153c1
SHA25623fc43f4e8c3757895125f491fff4068574209d7535aa88de8b8e0c872e002c3
SHA512a71ee0361d8a73af9ce4b980df081b52aefef4e83c50de1f9a6017f36a916bbec49b0356d5848b474014a14ecf63e5a0542c6a83d88f7d80e4fd3d4b43761f20
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\80285EC16EDB2FCB53FE4D6500B0396AC776DCD0
Filesize664KB
MD5237aed1afe8726960a2ccaa53f6ec15c
SHA15be4a6e716220373f6a57f3d372597785c2d6f7a
SHA25674701cc453c08049ee6adf0f327cccd1bf29fc28ebc5bcd701988b9cc06e28ea
SHA5121dc20461f3e34e550d335658a4941e3937d766d34e5fc6904e5ba8a500007aea603e457c7714ecbb6227fda8f8875c8ca111e29d5e61f7ecd2daa3e1f97f951d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\93A3F61C53110DFB2A449EAE79580128ABAB08D7
Filesize96KB
MD5015409a4767f6e583a9aa701dabb9e97
SHA1dafb4c8611dccef84e62fa4a2da4ea1828e22f84
SHA256e1ed170d92c35fab8ca69a76770b2acb2832ac20b51ea4202c6773d3e35d6a0d
SHA51266fa4d9bc49537ffd5ee31fd2030c866194418803061848504f9c60f25a8200aee09265e58d49ef7a0fd9544d2ac408a0be66766d626354c728926680853345b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\ADB77CF89BB7C3EACBA0400910D8956D4F8A5D23
Filesize1.2MB
MD5fe75d310c96859b15868930609afa9c1
SHA1c8a8e61c74454f4dd7e8ffe635b473dbf64eb381
SHA2562a5c780a66404393d32bdec3b1428c024b66a45c8046020dabefb88aed01332e
SHA512b0baab6b57d9755fb9149eac2bf762bcbd2af98cdfc753aad7f19a50de5c3d3b7e7d3c3f85d68ccacc0632095cff91d6838deba22d54c0ccb06d7f1baf71e60f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\B7337353FCAEF82D4CAB849A66CBEFEE641105EE
Filesize273KB
MD5412dd073687889e8ebbfe709d62d3928
SHA1e18669b8b25107a8a8505bf5ddb7f104f66dbf5f
SHA256691e4c49f48643181f82585b7716f5522b91e853f509b4eb0c77859282611c4f
SHA51227e73710f8746e19098617aab1c0107f2fcc32d8345b319b6c1009203544e1f2224efd2f22fa29e425802b9d82575b79d125db4ee799d7c5ab612a4bc97071cd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\BB5FB70C74C290CCB9F25BF1EAEDFF4CAF215688
Filesize55KB
MD59f3168f5f922c5d09a438b160c9c6d22
SHA1edac08011ce3cc1a762746c42944ad08ba842fda
SHA25638c0fedd4eaf8929d42430a511aa6ea6b80c0b6892a10bd40cdd2639dda85431
SHA512d2edcf9a315d9650d80e525fbca0ba294e3a43dece68f8f6a1dda50c94d0d79b69d7a7747eb9e8a986cdb2f1af54be79694dc0b13a1f4f4a40d1819a36c8823b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\BCE71DBB793AE30DA661022604E710C2005E4FDA
Filesize18KB
MD557c9490acf1d9ce07261bdf0ee527a65
SHA15f18a988cfa1f13e3ab7b90f90a40a459620d5a7
SHA256ad43da294a752c23add1263f322200a31809f0d7fba675e70a215361cca4e02c
SHA5121c5bfcd2e5b814db2369b4ed36735624beba149d3ada250c035efc73378e8b57e8e85c8b1a09ce712989f7979418d2a3b0356921bdcbc891e8e1bff08e4a4396
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\BD518506D48E5D9A2A1A812001B343D87149620C
Filesize175KB
MD55c321860901f3a3564b21e32365653d3
SHA175b38985d1dfe55a2b96a4778b32ae7a30c0f8f5
SHA256857809b35923c96608a1b8103d91c2715d37a6a90295da4c86f383a0d3edbbca
SHA51212fba610d5ff341d5c8b2f679697facf69695252f4a5a8cb41f4af30913640ed66ba8351d8d14de1d9f55d29293c63ce710803a7fcf593ca56df8bf1d85c0604
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\C471E1231FEC7D8FDB41B016DCED83CAE4DBAF27
Filesize17.2MB
MD5e967322854506621d93c54af09d0ab9c
SHA1199a7cb2d856a5eb78caa05931d6c40ea705e2c0
SHA25664a5099ccc1a21820efbe57a0d6f3a537e5e09c567676f1c5f2f02ce2ee0e684
SHA5120186938f0a6aa8eb741b29397951b5c71ac69fc6184141d62358b00d7d3793128939d1875f91588d59c91318fce03679eb7583aa85474c771853758f4947a27e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\D105AB5F954C0907C9073BF810F90A3C36C6D3E5
Filesize841KB
MD53a13a1d8fd6abbe1f7fab8c05cf18eec
SHA115d3bf3dc3a5ba827633b7af01621bd237852620
SHA25623a0f0fccdf48c0f36273e4fc08f745031948ecf8d9e8a74e82ff61cdcb24170
SHA512343f129e26b7365af69e426b4acecfb3cb5fe050c5178c87b2e7871772da2e843cc3438c5eccadb30e18cc35c651b901bde1c6ca05984af68e206be6df638f4d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\D2764A516583A378D0BA2325F933EF3C538EF129
Filesize47KB
MD5be3472a708023212f18a721e5d019c42
SHA1e50c102ee745072c282f8acd2fc320d78f431937
SHA256e67dd6828de9d5d6565c4af4e1cf61cf104acc0f0ad83f589380375f95c6ad89
SHA5124127149b3c928923c6a80db831a92ef819a1babaf26b85ffe8bb7321a06d69830f4eb78909c6283271a9888636ae74de05ef7880e5cf75db02f08ed397147cd5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\DD2BCB6AF648949C84F016445C2DA9B9EB0DEDD8
Filesize72KB
MD5826083126b3f2672656bf369bc760552
SHA17944e748f0628c0b30b403af9d0480ac9d9f99a6
SHA256381b2c10f5111e32991a99fcd103de8f0a8abc07b26ef939810c98cc215cc544
SHA512565bca64afbbe48457934d49da3fd8edb9de5e5988a932855fb1c87c94baa5b52503c5328e7b01e638f0ca7aa5fa66ec826b1b2e0ef1af1910ee668752fcb0fa
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\E44D8EA2BB95FA202605B58E615B3400B72A14D2
Filesize38KB
MD51e1fc02ef6198639568fd536e2f6e615
SHA14541c0501d132e7a63e3e74992ba7ee474d06d4f
SHA256e3bc2e7216667f2fa567312f7f1a2e7c08ac8a0f7a6e07ebadce3f776abe1468
SHA512540f767ce5e9dff773c8de268fdd98cbe1a9f8eb4d50776a2f2f7547a250fad53f106c922ad52788fc8bdbae0b0ed5444c920a50dde4b7c27f06581cc3caafe0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\ECDCAC02BA516C8E7D07B971A01197260F341D74
Filesize13KB
MD59063c7f801de746375b623048f2b2722
SHA1c7932b066f97dd884fd966f5982ed5ed101039a5
SHA256244e5277fd7639a6635d21b6ddefd6da834610d4e59ed6f4d832fa24ad1dc4db
SHA512cb3f3adaa2248c4709f827344ed7b256345a993ed7c17e4490de285a2e465eee41d2008f50360b3e7b85c09be12655502c9c28000fb3b5e2bd29caaeb827305e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\F54E7030F181831909BFCE5EACACBD3D867BDC0E
Filesize99KB
MD57ab246ba023beb15bbb2594ce69cbcea
SHA168bafbf918d0ff97a6405a46393a9b0f3d19e104
SHA256f925366c696692db4cf03a949fcac205a8c1edcba2a59e4e0af538bea5849545
SHA512698a59d47a6eb0baa66979c3053b394e7b63471c8710ee3b3c7bf2ae8826ad573d141a5a502697ada4bccb72baef003ff80cd65b679331665594ef39a65f6b25
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\FBC146AB8DCBD6505B59F9D2C02C2E871AE99F13
Filesize29KB
MD5bed1292b558c72399e86b8aa447439b9
SHA134ffd0737f82ee027745bdbd1d80d38f60b0a032
SHA256c03a758ab8283b7d9bb9419c768d94dc5ae4f336f3849d76ba8657bfcc2cd835
SHA512b3ae94102b87e1bda0e08f4bd3fdaf4268c2fca35cc8bfee0eb5f5ea9927735d16279811d8b096c2a3d8b6beb59b5822705f96309b4f1c879a9573a83920d742
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\thumbnails\1dbb17a98f851b3bdad5dedd90f72387.png
Filesize5KB
MD5f5392ad92c9d20b5fb7f5fcbcce6fd76
SHA181880c412af81d20be31ebcea924f76334d69c77
SHA2561d05b80d52d6f94a0945219f97db3d14d8d27c4558df6c6e08582ba93e8fb6c2
SHA512311a60670dfa6cdea664c75aea7dd4021ea2d931da441d3a800cc4eee33a08010c31637fa30f7a01dd16f6ff80a460fc436f4c5d5195797d9e560ee982ee81af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\thumbnails\1efb8437e720d2dd19c2da2a783bd64c.png
Filesize10KB
MD5c95d7177b6d97eb6e15eddd3e8965c9d
SHA152c12039600f80d3fb30ca41fb88e2353c33c4d9
SHA25652838bd078cdbaaad2e121ded2a6f1c14d6f1c45e8d6963de092c57d4985ec8f
SHA51215c37f80523d5e8540ce72573bbe61fe05b639b76d1e5148844e5080c09823609372462c11955e1bdfa543f93c86ca9a388a61301f6aaccfefd83571ca154526
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\thumbnails\4b66d06d970f8960be1f55d5fdebfb85.png
Filesize1KB
MD5fc02db049d091e42f9c9857bd390b101
SHA1ea1574b2d0bd9b2c8645dbfe80915a52e82812c6
SHA25640b1bb64fe8a4fee70a2591cae2574171fd43255f51f051c285c7a32cee7b172
SHA512fdeb347870ff94f55faf91c32d1906c552eddf8091bf52df2b2fc3fe0ee4c8846382b1b5cd5b8a947175abece84565356efc68a27c00aa64421c98cd9c09d6f8
-
Filesize
8.0MB
MD58e15b605349e149d4385675afff04ebf
SHA1f346a886dd4cb0fbbd2dff1a43d9dfde7fce348b
SHA256803f930cdd94198bdd2e9a51aa962cc864748067373f11b2e9215404bd662cee
SHA5128bf957ef72465fe103dbf83411df9082433eead022f0beccab59c9e406bbd1e4edb701fd0bc91f195312943ad1890fee34b4e734578298bb60bb81ed6fa9a46d
-
Filesize
8.0MB
MD5596cb5d019dec2c57cda897287895614
SHA16b12ea8427fdbee9a510160ff77d5e9d6fa99dfa
SHA256e1c89d9348aea185b0b0e80263c9e0bf14aa462294a5d13009363140a88df3ff
SHA5128f5fc432fd2fc75e2f84d4c7d21c23dd1f78475214c761418cf13b0e043ba1e0fc28df52afd9149332a2134fe5d54abc7e8676916100e10f374ef6cdecff7a20
-
Filesize
8.0MB
MD57c8328586cdff4481b7f3d14659150ae
SHA1b55ffa83c7d4323a08ea5fabf5e1c93666fead5c
SHA2565eec15c6ed08995e4aaffa9beeeaf3d1d3a3d19f7f4890a63ddc5845930016cc
SHA512aa4220217d3af263352f8b7d34bd8f27d3e2c219c673889bc759a019e3e77a313b0713fd7b88700d57913e2564d097e15ffc47e5cf8f4899ba0de75d215f661d
-
Filesize
8.0MB
MD54f398982d0c53a7b4d12ae83d5955cce
SHA109dc6b6b6290a3352bd39f16f2df3b03fb8a85dc
SHA256fee4d861c7302f378e7ce58f4e2ead1f2143168b7ca50205952e032c451d68f2
SHA51273d9f7c22cf2502654e9cd6cd5d749e85ea41ce49fd022378df1e9d07e36ae2dde81f0b9fc25210a9860032ecda64320ec0aaf431bcd6cefba286328efcfb913
-
Filesize
8.0MB
MD594e0d650dcf3be9ab9ea5f8554bdcb9d
SHA121e38207f5dee33152e3a61e64b88d3c5066bf49
SHA256026893ba15b76f01e12f3ef540686db8f52761dcaf0f91dcdc732c10e8f6da0e
SHA512039ccf6979831f692ea3b5e3c5df532f16c5cf395731864345c28938003139a167689a4e1acef1f444db1fe7fd3023680d877f132e17bf9d7b275cfc5f673ac3
-
Filesize
1.8MB
MD5b3b7f6b0fb38fc4aa08f0559e42305a2
SHA1a66542f84ece3b2481c43cd4c08484dc32688eaf
SHA2567fb63fca12ef039ad446482e3ce38abe79bdf8fc6987763fe337e63a1e29b30b
SHA5120f4156f90e34a4c26e1314fc0c43367ad61d64c8d286e25629d56823d7466f413956962e2075756a4334914d47d69e20bb9b5a5b50c46eca4ef8173c27824e6c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
Filesize
40KB
MD548c00a7493b28139cbf197ccc8d1f9ed
SHA1a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830
-
Filesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
Filesize
60KB
MD5a334bbf5f5a19b3bdb5b7f1703363981
SHA16cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA5121fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46
-
Filesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
Filesize
60KB
MD54fbbaac42cf2ecb83543f262973d07c0
SHA1ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA2566550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA5124146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e
-
Filesize
36KB
MD5b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA2568414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA5122c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4
-
Filesize
60KB
MD59fafb9d0591f2be4c2a846f63d82d301
SHA11df97aa4f3722b6695eac457e207a76a6b7457be
SHA256e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a
-
Filesize
268KB
MD55c91bf20fe3594b81052d131db798575
SHA1eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6
-
Filesize
28KB
MD50cbf0f4c9e54d12d34cd1a772ba799e1
SHA140e55eb54394d17d2d11ca0089b84e97c19634a7
SHA2566b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5
-
Filesize
8KB
MD5466d35e6a22924dd846a043bc7dd94b8
SHA135e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA51223b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247
-
Filesize
2KB
MD5e4a499b9e1fe33991dbcfb4e926c8821
SHA1951d4750b05ea6a63951a7667566467d01cb2d42
SHA25649e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a
-
Filesize
28KB
MD5f1656b80eaae5e5201dcbfbcd3523691
SHA16f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA2563f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003
-
Filesize
13KB
MD57070b77ed401307d2e9a0f8eaaaa543b
SHA1975d161ded55a339f6d0156647806d817069124d
SHA256225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712
SHA5121c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552
-
Filesize
7KB
MD5b127d9187c6dbb1b948053c7c9a6811f
SHA1b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA51288e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476
-
Filesize
52KB
MD5316999655fef30c52c3854751c663996
SHA1a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA5125555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44
-
Filesize
76KB
MD5e7cd26405293ee866fefdd715fc8b5e5
SHA16326412d0ea86add8355c76f09dfc5e7942f9c11
SHA256647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255
SHA5121114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999
-
Filesize
552KB
MD5497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
Filesize
2KB
MD57210d5407a2d2f52e851604666403024
SHA1242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA5121755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68
-
Filesize
4KB
MD54be7661c89897eaa9b28dae290c3922f
SHA14c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA5122035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f
-
Filesize
29KB
MD5c3e8aeabd1b692a9a6c5246f8dcaa7c9
SHA14567ea5044a3cef9cb803210a70866d83535ed31
SHA25638ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e
SHA512f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e
-
Filesize
1.2MB
MD5ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
Filesize
11KB
MD580d09149ca264c93e7d810aac6411d1d
SHA196e8ddc1d257097991f9cc9aaf38c77add3d6118
SHA256382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42
SHA5128813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9
-
Filesize
2KB
MD50a250bb34cfa851e3dd1804251c93f25
SHA1c10e47a593c37dbb7226f65ad490ff65d9c73a34
SHA25685189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae
SHA5128e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795
-
Filesize
40KB
MD51587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
Filesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
Filesize
46B
MD5f80e36cd406022944558d8a099db0fa7
SHA1fd7e93ca529ed760ff86278fbfa5ba0496e581ce
SHA2567b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7
SHA512436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
Filesize
43.7MB
MD5d9eee6c4d38cb93615fc11314b1c777d
SHA1e3ed9b7fe3b50c62aa97d819f88a21f4d01a1d59
SHA256429a589d391b2eb25ec526f2b7276a4d89bb84aadabe57dd3300ce09dca5482a
SHA512bb63db726f2e73fa5da4ffebea0c4696ee4fcaf8a378efb8bac39966cd72ddd3be665e2c96e90a19a32addb8fa6fcf13debf2b1a93f22e211986662d34e8e22f
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
16KB
MD56e1c990b9d22921039b717b62469787f
SHA184cac4406c2776072fecab3425ff32e6dac29cc7
SHA256e4bda1406d9dd08b04512f485a0c455485ffd8375cb5176972cb44d0b9f71ffa
SHA5125828a31e04824249dc8b02a7b4729aee7bcf1daf71ebd852644e84f8113cb33f07ec2557a5bb21ecabe870ecae6e1e5136c438b8aa2550d8174d161bf665a1d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\BonziBuddy4.lnk
Filesize1KB
MD51f8ef181c872ec50cef8f93f04ea6b13
SHA157166ce3a8ae76826af7e8d4e52ee4c32764dc6f
SHA256b0cdba5f399486f68e18bed54f3ef4ffcd7ebdad3559511c1d4a92fcfeec1f50
SHA512326ddefbd7936d7d3671faa091f54ee971c5e0f63c2b58e11f4e2b52a132b3e415fa534a8840db5e9986292692f4f6262015587ba6841bc937207e3108cc45b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Bonzify.lnk
Filesize490B
MD55b2d2573129110b9c3aa353ae80704e9
SHA1ceb1a065df4a4afc7d1645399ea9cac3ad1986a6
SHA2566f83cfe6285e0171602acc3c236490fa520829e1f01513dad8d615f440726cfc
SHA5123d14bad0728b0a6e4424fe598154c392be3f8f0b7f6858c621dbb4409d3a8c8dde24341a145f4f971e9e13c9c076d17c00b029e95eecb8483c0e0630e621d237
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
Filesize931B
MD5a47c0d861431cdd3a1528c589832ab42
SHA152e2f8d63f99c1f038e25d85104792b6d47c73be
SHA25670692c56664371ef27e70fa63878f77740688e157500effe6f96234423dfd037
SHA51210153baa8a5e86fc0878956f1632b139c1f2722ee457a72c23a4f24543fd639dea127166b18c459080fa714cfa578920041b18b00684c23ca750c10cd1099439
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
Filesize151B
MD5988ea61855eab89ff1f69e884a6bee04
SHA15d4792d34fe3939301eefa968ab5b5e8d415aec1
SHA256010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1
SHA512eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD5995fe542fdacbdd433f7820467b7486e
SHA18887386845e8a1888665ec712428dae7cd7c4c2d
SHA2568bb45c70daf90c8023e2eafa196cd6a4fbaf25f31c9a9f75557681ab644655d1
SHA51222de3ef8c97bf8930834165aef8e193adf8573aa2f31aa6be1e24df16e977ed7e31983a756792237b68dd01a6a1134e23953093dcc2710aa3c1d1527655e824f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf870af9.TMP
Filesize1KB
MD5e137890250f3d8a1ee59907e01fab402
SHA1db870f37394ab43f63030d4b96dea52ef39204bc
SHA256fc7b5edf0d7b01bbf919e53f1623a21630a70d738b2b78491bacedf726db0194
SHA512a25cbb24207abf1552e30eb494db31c543e3f4ece3f10181b6e3fcde50ecca22599effa8758186b10fb223ad6bf9934e5efe6dc198a6bff944fb955388e5b4c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NK5R7P2JQALSJOWUT8LD.temp
Filesize5KB
MD5e2ed3a3a709cd3e18f467e65602974bf
SHA1bf3547744371d36f495a603e81127afed2c3f8fa
SHA256995005478f2f73651cb1d05036f1d96bb3362802c6feb40a6d2fc867b54fc221
SHA512fe494c4c09eee310046738064aa335e4435ba9e2bcfafffc823694903700f2c6938f8eccc25db8fdb552f7f6b8393bed7970fe159a576734d4a65c7e8dd371b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\crashes\store.json.mozlz4.tmp
Filesize66B
MD5a6338865eb252d0ef8fcf11fa9af3f0d
SHA1cecdd4c4dcae10c2ffc8eb938121b6231de48cd3
SHA256078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965
SHA512d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5a1d8b895585306af9618c2d6c41757b1
SHA1d883213b781bbb6cdfbcfb2fb5cfc2861102b8f1
SHA25630036dbce5ca9a6478c2fe91c3f18ae756d0a35a6b917ee0bbf3fd32dd42dba0
SHA512cb6d79c0b63bddd011c8dcbcaa596299252ee0be2cff6d3295f72ac6ac2520185918ad6ee1402621d5d9bdf58169a7f3ded24220e337031812f76dfee438fd66
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD5dec4bc50ec9bfa344fce89a390a0d027
SHA10999931e265445fd3884a01fda8b3afb518d1ad9
SHA25675b661d917c469f9b5ece2f1086185cd7af2892fff62a0de13e5df462c235e17
SHA512e7a0be43015e3eda21077fecb442627256fcc07b638298dc2c2a6af8f67f023713b64f1c8cd196e786e736b468a560232f94aabbced912c30807e616a8b829ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD5580ad328e7b131fd465481d754580236
SHA11fe2fafafead342150efd986c8ab66ee65d9fc0d
SHA25640d53196ee99c0e463c35d1363366150194dcaf272cdec503d1a471d914633ec
SHA51290bab671d37978d43ea8aa403275b55418a80e17a592529465f114bf95f50a38c684d7f7d803add895114c30b6ca004df18c7f59f64c194f415fb131f59d5047
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin
Filesize20KB
MD56324de8fa4a6cfbeb82c18420e9a2292
SHA1988883d2e030f7a3464f4df900812461549aa097
SHA256e83fa3f48429fbcd09a6c4ae8b1def9fa6bf3edc6e5e4061a32f3069968c4ae6
SHA5121ec0c00669977bae08f2f38fcbd7e13ad0748bcd2e5299787849ec8ad3f2034abfea20c97bda444735d01b3cef66fcc312e7d3ab844fcb98450346f75fc3014b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin
Filesize20KB
MD5b9120bf365a8dfdc5e431beff934d5e0
SHA1ae27ca9b246f1f9fb24b926c314b86497d93a7cb
SHA2568921ae35725609571da34e05ffb2bd7864ce7e6dfa68afae9bdf8f74e09f3c0a
SHA512dfbebe77f301d50ceded2c35465d9b5609b811541ec233349eb5ce8c663929e16d7f8edb1696abe91ac2e8ca77c0738c187a09a83406bd3ae1f11c5f1d163a41
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\2395c5c1-b05b-437a-9656-16e577a092fe
Filesize713B
MD5b9fed83f3cb60b2a07b5ed675c8209de
SHA14613b1cff7577fc57a8595ff07d14b86a35fc781
SHA2568e3a453ec9ac0acf1fdfbba067b0a22651390152fb6671ab2bd2fbb1a48118fe
SHA512d4e947297b0d099da1c20e10da27503f97788334ab8fac857fcd7a48201c46d28560d52bab29cb921f88e43c2ee6b2f1430972e8f36ece6eca2d13685d69dcd1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\49f25ee5-1e77-4fce-b63a-2879b16282bc
Filesize2KB
MD5624319e37bd6945715a87bc5b4a91f33
SHA18421cde659ff559e8302e84ac0b7ed18e3823a09
SHA256ffc57c2c1ec0d5e263d1ae80ca995acf956dbada467d9dd3cfaacd5b76b56a6a
SHA5123f8feec23cfb1a263c0ee1b86e16c9f843123becae3216f7fdff5a4bdf05a4164404e6b0f03f1298afcdaa91d51fd746b5caf8ddbc5d85901009f2f014a2e140
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\59743308-a5a9-4086-95dc-7c853708a016
Filesize777B
MD5ad708d2117283d18ee67690dfe8847d5
SHA158d237321d00867aed6d51b54f29ebe6b87ec196
SHA256d1fb998cdc95caa7f0c30bb208c0be0efb43e465b6ff3f5a3a8b5a516b8348e6
SHA5127d17087c244054290fe8876668706ae585ca0a7310d43eff5034391f5c99da4c2fa5b5176c6207a1066115ca33271366c6e12033846c0c3f5f4d777f80036a5f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\6e337061-1cad-4bb8-8b4e-31c136116a27
Filesize790B
MD56e1ade82711bfc90c9084798096a80ad
SHA1af145d8298d28283d5f3960e886bb03cfea85d00
SHA2561f7cbc637eff2e813eab3d2050c713dd6ff2f7fc33f4192bc4c2ec7e568fdf24
SHA5123555ab2397db321fb1471d476667d8c782b96e1ecb012222f26a0c4348570e73f4dc27f4731aa34e17f3ed814823e9017e546e15374ae932039ba9d534404cf6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\7f32184f-ad5f-4baa-8760-d242ea052e21
Filesize678B
MD5a6528ed4c9acf2bdb8deb729e636ef6d
SHA1e1e22036f3f4cc2eb87059b176366c4df6e1692b
SHA25692a3eb3885f1f5cd09504cd7ef8abcb24fa35124cd908c8f45ff1515e950f677
SHA51291ae7c79b226248bc14f109a5c73deb9c87e157f18e32db6ce7bfc351c9327aff60aebbf0928c1f36c0648e4bded7f6e2d884c90f1f6e8b98797635752156a52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\7fa05034-c05c-4912-b531-f5dc3b0cdbab
Filesize850B
MD5c565003f9f8f06a605b65cbe5a0b8e67
SHA1367c98bc1067f7dd583c9d6efa3345d829d937b7
SHA256b693252bea2eef47929346d3ad855f43fbd5d7a76341576f36bf4d8e3b776007
SHA5122288ad637c1b33401a84140c5c6086b1bded0ee1b1408903a5c910eb289b4702339613ab93f1faaf207f07daa9cf3d4a9716847598a03634b1e2123a17effc21
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\84316188-1d0d-42a0-a1b3-3d8fa8ff2d9f
Filesize745B
MD559a630db8422d80083c603d25439f331
SHA1fa893a68b379daa13591ddfe40fab56078d64e81
SHA256248d1ed7c36ff6c1f2075b7a19d35ac853dbbc78c380895cfcc642ad8c10a2ff
SHA512e0e432cc982749610216bd0109eb4d1a080dc40cd0ff22ab646e25b255f53163cb74bc744c15e91ed1b93a9ff7396422dfd217f477e52cba656e4afa71ca928c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\9cbf3d46-aae1-402f-9ffa-4ced59d58d4f
Filesize681B
MD55bee0a57d9c2e96d132f7c262470c526
SHA1e19677c000ea616ca97964ca5fc3a1c2e9946e62
SHA2563019cd62d8f43345dde170ae8f2a3ddef518631919c132563a878db445b04189
SHA51261d3cb12cc81868ec47e865d295083e44e75dce4459bcfbb8559f720c17b8620ba7814e7c649f4a662518eebeb0535ddcb49d68785bf26f9ced596c47ccffab1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\d61b0231-afa0-4b57-a6e0-9b8acf561de6
Filesize712B
MD54bd84b8c45f45cfb3a8de62b9d62c019
SHA17525c1e67f86e847859f7698f58dfb18d24d6214
SHA256240323d4d009ecf0e86f0a89b4a5b137600a23c5dfee54f65c8d7f0708d7087d
SHA51255e684821c4bb16d23a43f7c8aaa95442e9557c2bddecc04f8eca878948699fd1551390bca83199b0983b470c3e42fc34ee3ddf3b4cd3c80043188a9f1bb2051
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\da1eaa42-9f5f-4ae2-8002-969e2038211d
Filesize12KB
MD519cbb128348cf606378ea4fa97a59aa3
SHA113b9c9e42a44c68285d03094772844b3d4a05685
SHA256c1f57bb2ef35a948630fe5e73d5c2f106f3e9d68d7c6d52bcee6ace598631821
SHA51208561b4346b22655f7b8b6a67738ad22b5869e3b7dabd4680f684195d48e672d2ac2dfcf4bdc75e893337ce409742b3c33f87db6f1bbc7b7678d6fe3c8a467b6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\db9f4241-ed18-4a1f-8801-e6bcf1105023
Filesize1KB
MD59c72d7aa34ed6cd449c089804d42440e
SHA13d55443361e11e32841cc95caa088966c59299fc
SHA256f83313a9407b8fa6602f2b71b64a21f3781f4e93efb27461c2a4e3ff6a0c6984
SHA512e68c2265136eeeac6c6dbb75dcb984bee45cfadbbb193dfc0bbf22950b580d1dc4c74cf29930bddc6bd8da70ef311f5e2d0323c18ece86f7376b122e4ba78a37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\f0bea17f-0a67-4c9c-85a7-cc9c8fed6752
Filesize1KB
MD59c80486877f27999683e87e8578d242c
SHA1fe2780354d66e5e94553f5b47f40843e1a28b6ed
SHA2566a9122bb06d06ecb38a8808506c295f34487b5305f2ae531a4a3bfbb5f0a4b57
SHA512849bc3d5978b4f1305d6f052a38de8b819cca93661adb45790a9ee425db3f371caa097d1b58baabc3172a904059bc8e207d8ffbacc1187fd99ef2495362ca11a
-
Filesize
893B
MD5c46c9fb488faf64fc9a2bf866994960a
SHA1f86728893b7b0262786876f6a3eb30c1e0f636d8
SHA256a0c415d1bdf2d10a95990c446789e6e6b6453d9975d5f27a18a25de3d25d8f4a
SHA5120191e29e372e904f33da5e7b542f45b18d36db14a0ab979371788f4e9af20137f101d604e41dc38ead619a24c600193022aac61b51e5d800f2ff8bc85825279f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\extension-settings.json.tmp
Filesize438B
MD534922a0c15d7b026452f83d1a645bbc4
SHA12261e6a97105afc22f21987e6d395c73781bdadb
SHA2562dd72e0fac57fedc5a57fe4140acd292be6fcfe8fb5dd71dc6613983ad84aafa
SHA5129a91cd84bcfd3a63d5976478f2ed41fa2a119facd58f9e071923136b4ad02103919150ae487451fa9985ec8549e57730834adb27cc6a2d0a46d46a1ffcd392d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\extensions.json.tmp
Filesize43KB
MD5d000adad77672b9cb98fae2083cf2cd7
SHA16e14b79216a5657a3acda83b778a5d2f1753b441
SHA256c84dc9994f0f894f1d636fe3a69b88cb4ff93ed24675e765ef5a409afa162abd
SHA512768989a5a2fe4fa79aa9aa51c5bd1e4c6f7c79c45a9cdac4535da58930da7c8526b9a32ab954e12777c50379db9333a2bf081cd561fa059a77890005848c4e76
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
5.0MB
MD5546bb4cebdb2e67ca1f8e91b0149ff8f
SHA1d216069689482ded8ad42a91de78e4fe32cae0e8
SHA25649c2f4fe54f1bf6f12c622a99b54a0ee83178728df6503b894eac21f1582d308
SHA51222459cdf70fb6f173adbf46fa7039b1f9b0967b05cec26a43b5c33700faea3337a01ca1c624bcb21b51e6a94f0de509fe1cbacb08222da7c06e0412eb6eb4b7f
-
Filesize
7KB
MD52ed6b27040702704271d54b2bdce8122
SHA10c56341987433e7b8f211c263387a8f8abaf4b4b
SHA2560baa487e3219570c81458faca136ad5c79861454042e25b0f9a75fb222cc620d
SHA512d9569bea38599c4419758464269b169c5204f1df10b707c38571d01aa24376a40e97e3070a63e00aa9d9f88a9a876dfbc359974b519ab4e74914d516f85e252c
-
Filesize
6KB
MD52959a0ef3312150c5523b42c0a29c3c3
SHA183b8b16458ac274d6c8c71300a3cdc6c03b87f4b
SHA256fea1641bdbbdb2403e96c459a9948d2a6c83a927112bd3949138f01cd75dec1e
SHA512fffa9800fefabb9a2f811313e3c4120d0f73d7f7b9b90fffd2877256baa3b1fd0add601135547af99f39c3a85c6f1856e9cad4b777787c5c86cedb70a1101fe6
-
Filesize
7KB
MD5ec43271fd3b87b83bb37938e49ab8ab0
SHA188a97a3527ddfaf2303c949fbbf6caabc2c620e3
SHA2563a36cde94e2d0a7e2aca9a7e708e13804c0be8f21d3c6d33feeeaf7ae8d137a5
SHA5128296d3a63ac206c465d1f05d9cab28b421582a28ecf189328033ac363b8d8611535b7b4630399f362e4afbd5211d4fac4c9ac11dce02f9ebcbf44e04f59a8812
-
Filesize
7KB
MD5c539569fdfe8ea23b5ef78412b77dcca
SHA1c8613ac5c3faaa13e50391ffd97ea61ee59f6f1e
SHA2566631d88f61b0d5bbc71901a2a29d9e272426618415010065fc5fcc76ac403837
SHA5123fcf6997801a81ace0ed36603a275bde3df715b3c402e84a665e83049acd267f50465f4dcd33814a183a3bee7a157e38d87adfa3cb80f7ea789294c59dc5b86a
-
Filesize
6KB
MD52a4affe7f34a4728f894463f1405c698
SHA1974bd12d72ea247948fba0c51d971c0763d5dc05
SHA25657f536c4495510423a513fef03604d0905004e80b66ef08bf520096e2f4d7b88
SHA512415c678a297cf1bbfe08f8ee1f4f79f09e92bf7d7dfef21240fb9d7a8880f73146072d9c08e25dd63fd77a61e618031afad149e5e2b1068ac0d7b3b7a904102e
-
Filesize
6KB
MD5c08e886d91ea78afddb13d217d2f5e9f
SHA1992ef7cfd310f970407caccd0b0a149e60cd2384
SHA256ff8faa5dd2173f778e7bc51b606ebd0322e933cc6a98e9077431673d45f968ee
SHA5120fc492b9f70ce3d92ec0442152b45cc83ae8e223c8801cf8d15d67f52cf66e754db308b43797bb861dfd1a588c5e0753f617b1f74cac47ef7d071f60773e2937
-
Filesize
7KB
MD551ad5ac620e99ddd1da3ece8ab7665a0
SHA14227cfb47f860c3a545b5f5c2a82245fe78210c5
SHA25629a4f4775447ed3162f7ce22041c3898a6f69db910d8d5a0674dd702403910b0
SHA512633e9eced16b36071170ed640f516c43a45505f69b598f783ddfa698cd1d3e9233d9052ca1c10b47da3fc046cbaf74ad40006cc6899a64f688bf9fef43fd1518
-
Filesize
6KB
MD53f7726d66ec9a049c084eb6b85746d96
SHA19fae68bf74b0f3dab36cb9c3f6ce100ffc23950d
SHA2563c3e2b6e445839c4478fa139b8985b892a8f207c3e62fd037f149b988b33893f
SHA512500ca0561e30e4936609ae24b183348ac94a3039e60ec0d993f724eaa86fc42d58424804639eddf5aeae052100caa823c47cd4bfa4651398948026c1e09bb41f
-
Filesize
6KB
MD5cc3f25cfd8568a82154b16587fc5b132
SHA185f36927b3c54017b00b0bc7b301ec137bbe8ae6
SHA25603a6793c1656c9ecb6c6db42278fe2711db1c01e4540825ca9f83b5429d7c9e0
SHA5126286006fd90c493bc1d36504dc3724107675e5ac3edb413133e56a76ab1634c183267616c21a7e1cc8e76bb709976600c0786ea14b6857c75eb6a61cda8510f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json.tmp
Filesize122B
MD599601438ae1349b653fcd00278943f90
SHA18958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA25672d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json.tmp
Filesize181B
MD52d87ba02e79c11351c1d478b06ca9b29
SHA14b0fb1927ca869256e9e2e2d480c3feb8e67e6f1
SHA25616b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524
SHA512be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json.tmp
Filesize228B
MD566bdbb6de2094027600e5df8fbbf28f4
SHA1ce033f719ebce89ac8e5c6f0c9fed58c52eca985
SHA256df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc
SHA51218782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json.tmp
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionCheckpoints.json.tmp
Filesize146B
MD565690c43c42921410ec8043e34f09079
SHA1362add4dbd0c978ae222a354a4e8d35563da14b4
SHA2567343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d
SHA512c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize16KB
MD5c22830454434b3c1081d60db75f7f4e8
SHA1eeb4e1c83f968e879308ef35bae8d1adbd284b9c
SHA256cd166e88ca7d3e03f80cbcfdaa45d77209b96858481e679540bfafa979342153
SHA512099b788e97a87c9f8f834061a3a29afd6f3be0dd2419a260c14baac36fccd60e686bbe7e2b158e2fdac0c7a8737db51e93b7e28fafad49fd3433a1541483b06f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize42KB
MD542433f30c27140fe636fa409ca179d9b
SHA1de988a2fc3e6af34d444008eba732a3154d145dc
SHA256f532c9ef476726482bc36cb2f7da24e984c57171377f7ffcc5ee1fb904760362
SHA5124f0ba6ebcc98b85d41b231d958e7c0ae4cabb439bdbb5bbb4aab2234e560e1ef3d0802245951e4acb06b89cd6cb745e9b140d794177466cc535455d4896ea434
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD56ce2d68b37e21b9bc9e2a984af418439
SHA1a97cc2e3e95d3d35d6781cf70cbcc4219443423c
SHA25651684767b359f4171d220ae2d359af5586142e406f019b2af53d0ac4357242e0
SHA512b906bb5e495c8bd59656b704a1942907ede30a5ded87d19a8df3315c37b8e3b0a10ce495f9a54d69ffe8768ca11a0b597b36b0a2aeb5f5840c7cec0d24c763c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize18KB
MD5ec4256ac61f97c9ffa08b761fe243dc1
SHA1980c5f09689efc0d26e279932ed9628308093aa9
SHA256bfa2f2dfcf6071ad359a6367696a1a4b8565f2c5c20423253d66e3013fc6670d
SHA5121ada134371c6e6718cb47155afa2ead50db40597dc4a147e56e5a2e39d471a35cb0437b24bfc6145aa68ff6884de162de6c7693382cab7e8726aa8bcf2d952f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize84KB
MD5754b42b6c2bfce20ea39aa89e77f75fc
SHA17059e02d806c23d428d8fc4e57d336eb2e994700
SHA256fb1ba8e4fb9e8fb420a5eeaad72ff29c50457ddd60c32a214a5d6285f41e6740
SHA512080965484db599ed91ae329140a653044f2ce4f5555b3d0a5e0fa086a030faf9c8d89070654da8f63da5559f030ba8b3eb4d1294e417d01637f4b6c792f61dd6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize67KB
MD5bfd13d688d8e4eaf8ecaf299deef5bf5
SHA16d0d9aaf851975e53f3b7ecdd564e277b65c6fb6
SHA2560aa265805d7c4145f565179671271b2c237df08789c0660f058e4575fda0660e
SHA512b3ffff6d4b95b7ed07cd88ea36f14f152a06e367777cb7f8f314307d0ee588d3041c4c0750f4770b830d00f019706ef125e97912649b9eb217f05266f02da595
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize71KB
MD59f88d1dd315248dbe2b98c59fc4a3697
SHA1538dd5342fc024e6b47f7fedb8ff0e0065bb0037
SHA25637a42db6ad9a0fff46bf89d2996415f223cb5027ffbc3c1c067b15d59f29e008
SHA5124200461fce79be6e089d254ba8c6d70f1ee1405b8ba80de4e9bae84e5a59ff2df3c3a938f5265efc18fb50d8cf6c6242d6b83446d1286c5e109a6aa43749f241
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5ee83a782ace4a69a8486ab9e72d26090
SHA13645a82ab5305d46c55c44744a0cda7ed4332117
SHA2564da3f2c3ef8fc344ce0d55cd9cd48fe9213a370509bcc38719304d58f1bb5066
SHA5124a3e6ee874a7a50e2a8b662a967dd2f81dcc82ebe73ca55dcb334bf634f2b9d07b05b48676cd3f22fe56965501664e85a333e385e03e323aadac8e77bd9a84e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize40KB
MD5150f6843b81da34fee233113c972a8c6
SHA18f1f83e7ab4293aade80ea6f730d454116bb30fd
SHA256e279cf681308a49bb89a4ca695cc3a7477bd557e0452fa4b7afaa00a41bf4e41
SHA512c850317317f3f5597b1beee4407926b71c9fd08ad98838f274ee13a7e62e5ff9d2634810367bb72bc74362d8d6de8ec8ef86548c526227f226875da8bc049772
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize71KB
MD5606f1e79a803ef427c6ad4e0b6ed6b11
SHA1d8b2d905c7a4cfd1ce6c56f014360c094e8f36fd
SHA25672cb1a5143fe69da5ef56e8ddc79c34ac4b9fa96adcef5d182d1c27a5380dab5
SHA512e3eea167eaefd269eebe1237b18213bbbf3a2b16d4221a0aa8ef3c361641da0b7eae3fb5eccc8a0743e23136056bb13950d0333140c6f91d09a3587aa3a30281
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD54cd1eab383d31e1effff5c0997f2b296
SHA13487cfb33e56a14918e08ee726b14cade6db857d
SHA256f54689285e8a5e241670e70fd505a3d194987c32635d29759af5df9101738ae6
SHA51252341b5476cba612aa39edac3cae54dc5fd706ec34b82e0bc579c0c4bda9f865b6b848fa05b212ae0f24c3279d067de36fb5db5ff5950f8905d0a2e6fd7d0883
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize83KB
MD50a444616a6f5099c4eab940e08fed082
SHA1ab12aeed49ebb87fa60f54192746bebd4711a632
SHA2564ba762b50db4eb88035c20b17a620a0db1edeb39e6246e39bc61144a36f0ef8e
SHA51210736f90b36ea5426fdba845adf76aec139994d6ba37e19be16fbda4916a91f5f9c17ab3914deb5725c2caa1657620180379bf4720ef8113415b089e3cbecdca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD58d7df9a6a061ddca3b181c986bcd8d79
SHA1bf86e022d5ae00e39c7b260510bdd6ff9e1b67dd
SHA2567718d83a0d2089af6152420e7158fa34676f02656ac70e4a8228bed734334109
SHA512dd2afd62522e26ac3644735cac70b6ca75f280b059946e2186c953608569f3198604accfa41193165bf97c1119214e0df1b67633ba8b13f1000f1be8615b5631
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize11KB
MD5b22ec47d660c85960c542a9f5f08498a
SHA11b33618317dc58fee2403692824b37743715781e
SHA2569f4eceb793c18aa17c15fd9c5ae1623aabde2cc43bbe6ed445af9a30f3de5a4e
SHA512f8b43d1c0f3c24750f48cdc209234ad61f50a6a55712a1a2df8659dcb48726f7e7aad8227fb31a817ec92ed7b322894ccbc87b351155e0862e82f6bc3cc28709
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize74KB
MD502fd343ff5680437c56138953ebda0cd
SHA14a12c23281248fe0386038537ee073fe1c6185b0
SHA25632cb241ff063fc9facdbd08e4e742bdb8527fd19d7add186aa44384a9a574b03
SHA5122828a6e9e1644aa042d8c4c0d8f33bdb41dd2065a23f0d1662fbfbe979bcd635a69f140484756be26a8a4f28983d01e726a02fbf2fbde2a74f481ea27fa79183
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD59f4f369da610e5439c84c8da8613c6ff
SHA1f7af1cccad1a3b2fe6e35c10d2fbe7c78d0e912d
SHA2560ed9a2e6a8f2073c9c1bd31c32df1abcb8cc5b96f473804139ef94e31aaf8dac
SHA5126a9d0d04317d3a2bfb982a9a901edbe6b08e4c8e58be9ab08aa43a13392a849cd800c3bdcc6092193692d6227723e472b78b5bd2f81c3ea947618b342f3c549d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize76KB
MD5249bd8bbb34c86ade7866f5a72f3f321
SHA18a855ca007f842ee3c74ccadd63ebc69af684c4b
SHA25639c557a49fae117081adbb75c1c05942a7c02420bdb73c1a1fb959c38e353a28
SHA5122f8f2d955a9256dd66f8c04719b4faaee7dbc727d4218f0f72b27abf4c32cd9ec67ed864f8d5bb4a69bb5ea95738b3e58b5f4e7014fd87a7cd48fd5021fe4282
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize42KB
MD5e4f1b56d19959d0a2c3a5a8f85d7700e
SHA1a9528d75898ea6fa6b7b62101ecdc5ece38165c4
SHA25674df8c77c07f4eafa9db43c6575b3b6b85bff2a1cf77ba26c0759a7d9d11c2cd
SHA512923477ed19b83b786dab29819e473ae7531e422a455aa31ad5fd65d394cd6d0280a27241df2c20ddfa58b262e6a50799ecfa69e864ed1960712bb6e8098c8540
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize84KB
MD585d6cad6b8bd41560757f8f47b2105e8
SHA1c1436d5dd3d81ade65af7a4347630fe6f6af756d
SHA25698c965b6d8a8b6ef33c0b2076b8e08e1d914a4518b32af550e20372986f8296c
SHA512ae9359e754574605de3d5e676a426bc537471a8dddb315b7f13690cf2ef5c49e167d6192465afcc3b59e927605eec5b03f37a05fea84c9fdb9fe2c7598db6809
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize11KB
MD5d1eff298383c3b815bbcaa90d29bc6db
SHA11964ecacee017d0086d7f7d8be871b9d09c2a16a
SHA256fb8b174ec11361a4238aff98828e45f06241dd8e4a1e690ee256af5b107fe473
SHA512feeb26c1c11276396cc7f2d0af9ec9cdb8a80db1f7a32d9a3840b651e13da7251185956a2a57f1a1e46305821398b3c6900f70448d4002393cf6b456ae043941
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize71KB
MD5d3c413f2cd32677286294c8d26101b29
SHA1e1ccd8cdb9abf246988ca68df837c93ce089bce3
SHA256cadf095f7e3bd70c864f95bfb88e996b5f1de135436a72bd52513dd7c5ed672e
SHA5128f7278fd6adb9b3b19deaa8f1c684015425834919a43c5eb317a33f8b5460450ac27b29aa5a668d6123dd1e2eef0fb1ff94722ad68b5019cd900165129662398
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize15KB
MD55652e7e2ecf9b0c05281e1eded5ac56c
SHA1ab1c57df6e603b598d4000a31a3ff4e606511128
SHA2561e09cfc14679cbe337051385c7d064b894cedefe263cc3bfdcef0d51200bab6a
SHA5127dc0fd462cfd50b29f7dfe6e2eb86dd8a70e56a913c14c340756e78394a398c1c0f6515bf756d281242a2f14918f9d19d623461226d2dc8c7101fda9887f9e2c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize71KB
MD584db8682446b2e49fc011b2cc15aef37
SHA1ec9ac6b8353b8be0f8cc0c24755f82fffbc969e7
SHA2560ae95c86379390ee8fe9ca8516036dbba6fb8dce89fa098b0638a9f63d60ee18
SHA512d48d995c03eb2d62967b86e0e3cb5ab12a9096327f32bb691fcde1e281527c232179be928a9cd3a42e00e8ffe3f44dee67db1cc80145809cf943a3db33c24b43
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize15KB
MD5efb44737ff0645817ba8474baf47d79c
SHA1c0b9f971161e412ed273adb3585b7cb4a766be8a
SHA256b4f8743107407722563e5f46ef34eef00ab66a216c9a5d8d097f3bd283abab51
SHA5122f32b74fa9dc56ba0e2aab967e7cb95a9e2dad819c5598729ef40d4aa95877602511c373da537eb2bbd5f9cbbef87925bc1bf11ad4185c70187f2bb2409e4336
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize72KB
MD501e83f91c2a7042499ff63f61dbcc2c6
SHA1a80eee7b21845b77a1b35aada3a1be6b9108c2aa
SHA256abd2b2f1d63cb4ad867d455cbf5a9de3524d4296d58a8d8af508944166e06134
SHA512ba64c370271433d2e6171e2b95e6b249518ef2b5543c6c51a4a07855cd0321340fb6d9d8576b22cc1bb6fd3e75befb44bfe8d94cd1fafeaa9597129061324f8b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize26KB
MD5db0bed95fd8177c2ff5124e7190e6e7e
SHA1db3b11b4e24b86448da7e1f9968c3d6377a2e9bc
SHA256a47aec5b453fefab294162aaf3ff6b05320ae1c06c440f706f23c54c148265bd
SHA512e42441c0e77c1ccc6e079bc1743eb3230b24c94d4ee825fc679aef5668f01593071104715af06400d63bb42053bf4eeebf922f6924a7c139092f87507e10e585
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize16KB
MD50e3489ce358564247c5081523bc93687
SHA101d69ef5d26482742af86804b4ddb798def938cd
SHA2560de50add5c7d91fc2cb97b98aaad9c5e80db467e3cc746dd7af3db0a7e38efdf
SHA512f1865cebf47b261633ce606784199193d019611438857eac74c6a7a3965edfd93f918bdc019463d5636d210ff793fb28934f3cb1e0a156d33951024d9f2e39e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize73KB
MD5f69c43a9a16fe1edde61d5ad6d13ee27
SHA1a42470ff416be9d0fcc9ab1918f2e33b68c37edd
SHA2565546dcf1b9170b7d43e642a42700d1b6d611633c9cb8dbb7f569b06320bd0ea6
SHA512551da5a31f77ffc5122da44c1f6757ceedc3c285c365ecd7e2af705faee2a58d9375996d83f0131d9c3d1391987da9d5a16edc9a1072656a380605bb227c71ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize42KB
MD518064a4246ef4be4b94f30a21c213fce
SHA12add55e367fd3cee8059889dbd3de70e88830bd5
SHA2560a443f34a944a973251170dbc8b646c904ed9c2c0d3f1a337b15abd775a95577
SHA512d5b5fe285a6a263fdf991c675ea91ffbf1f284519fa61dc77444a33b85a59085f6700be2489dc1c19a784065d77606f0579e5728bfd16ca5e1eea6346f24446b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize23KB
MD5aa72bc847e2ce938e11a7e36343890c4
SHA136ac3235f6c739f50b06309c76be2d1013bb7fb6
SHA256349753dc473ff99724881bdf1fc05a6b3ebfc5180e5e53bf81fdca7f6a33a237
SHA5125e8a5d8dd60efa89dac11e5d365a9c88ea149acf701f319854a326670354e7510a439a104858acdaf557600da803a1c523258a040fc7ddb545da1914d354d2bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize88KB
MD5ac7874b9b4321f60a3e82a91c1e8e637
SHA1cfd6ac50a7c84363af0972f1fe806871d96b87a3
SHA256ae501a63b1b3379759ce326394f54bfeb044795c1762bdbfdb42cb8b7388c3ed
SHA512a13a9bd98e5ac7b963c03f69b92493b58b833582bfb9f90e8bba12d6a26196b43aaa65a8c98e835cbda8e00faccf09597f58a1d5797eb123ffaeab300a2f0342
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize79KB
MD55551bffb56b00b147e5a652ec3135da6
SHA1b4e6793d0c831ac1526139f044f09e58f289646a
SHA256a799dc3d27530b4cc8afb26692add4d932bdbd8dcf3cb6c2e6d93b8fbfb03d06
SHA5127724b956cb2550067a254702d9083fb6cef3b572325a8da23f72eb8918d13638d25c17ec7d10cd10c090097a8ce3ece407f9df50dddfdb99c44f988d3fe12903
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore.jsonlz4
Filesize15KB
MD5f7e71655176e894a4a10e6db21edf871
SHA182c89af0e358ec836ce8024c3bee4aa7df63bbdd
SHA25618809078a25f02e4c8db0d3f1dad98e5905034ef979826ba37d45f1c80057434
SHA51202c38fe4f8a0bf07b968c81f1582d4849a9efc627287c18d7860ab6364a40fc1c95e5e0b936eb066b7b8e3ba5d92cdf2888c8c3f45a0fda88942f02683825a13
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore.jsonlz4
Filesize65KB
MD517dd94e3b319c64468e7d55a0a6c198e
SHA1d34e91b3fa2ab4ef3ea7885d72d9a7e78d033a2b
SHA256be999c68e4a559b883c232b4ad18a8d74066f8c22dc8901afe55070d6a45625a
SHA5123775459b2f4c9b0fecec8f9242154e94e180df6c72c744c3947bab7ed748f3c72c1769ffd5adf155bcc86cafb2aed97b9b4586b93e8e59eed7b7f87c64fd62c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore.jsonlz4
Filesize577B
MD5d1608fa61fb88cf0cb04c7b78e7783e2
SHA1e76dbbea03bab3a4a1aa2807ace82a1887fa11ef
SHA256d427ea2d56bd0f82d2c3a7d8869a8f446d347fd0141c7272b491d20b0e3c29af
SHA5122d78b96f06fda778f5988fdced44cf69d0c328a6f4afeb565f300ffc3d8c58d2f630fae8fe1d2ba165ffbf2e1b00c4ff2d678def383fa238eff3bce2ff07e62d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore.jsonlz4
Filesize7KB
MD52619a2c27677cae3a89c2f90f29391dc
SHA1e403e5b1f6a335c07f6193b22e0c23cc001e820f
SHA2567162f78a6eec63df8513058ac2a92cbb8a3d83eb580ad89dc755b99681b72330
SHA5123a1fde537016d821796be1580585db840457c67766f6bb0cc8df357e52decc9ba0d3627512fdf41159d1808f4ed5d455a21b5989107344145af29b7ad5bd16d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\storage\default\https+++uploadhaven.com\cache\morgue\121\{2e1170f2-e641-46cf-b78e-f95b767dee79}.final
Filesize44KB
MD57cb947b2600a10b9c25acefe29b67965
SHA12f622219a1df7bf60a26a58a34085202c375afc9
SHA25671f8698b23db46414f2edeaa950c94cbfe3dbe3eb6b758819d53fd31a7918270
SHA5123b4c643052fe2a76ada40c1294895b01da3848ccbc6aba33d53d204be08ba2a570c99d809a885c770ad83a1826cbdcb91c3e3a5980a4dd6407956f501cf66c73
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5bb1d1d7fba6951cf60becf5c909f4996
SHA16b6a38d811d1d16296f066a6e99ee0b0bcaa2d88
SHA256653c72f7b404fd49a331e476e0f7986dbdb5f9367582e523e0f4f8bde23df308
SHA5122f897ea0ce144bd83cfcadec4c8ec46a008eb41b8f936187216e7433354a25530c58a6fc371275d23ef58786a60cfd0dfe5d8090e00956dd30a18b8a77f5f8b0
-
Filesize
426B
MD53a4c4f73df9e0e741f38bfa61a101461
SHA171979eabcfbddc5e32749d09e44c0909d506e63e
SHA2561bb8ea03f0f0c4be81905d74785be4e9f67372990022ce67b242c63c881d58a5
SHA512981f773b2ef74fb65c706f4107753233392b0378e9f568395ecd1408514f1c8e384d73992af711e5e6f316c688203cfd79d3d4eb229e47a1d6d97d688efe456b
-
Filesize
502B
MD5e68cf528f9dd6a24c883de1dfed4efba
SHA1c289b211eb0b7e74aa265601a0a434a5fa69a539
SHA25606d49441553ebe0645fa10f278b50a45517899751236fccb18293d6b4eef3bb3
SHA512a0eb7ee19d7dd0587e3e8f159c26a463ec78e56585e0d3079ed64520192955dd386fc09b95809c7fe2eb671d82534f196f96e7f09b0e62a9c07cf54ea5a08567
-
Filesize
270KB
MD5e16385000dd93c1f5e7c75b4a8edeea3
SHA1aac82dd56470e9fab116eab2670a8d0c696d23e7
SHA256227527dd4292134aba9b445ff72f19790476e36f7ab112bbea0dd9f9bd96b80b
SHA512c8cdf75fa0886f6720121ebc006c17ebca1beb7eed762dabfb9ce39984c05a63a7c39e71376a281f94312d9f8ce4804ddb0a2f938c50c5384500b66350c3d1ec
-
Filesize
317KB
MD57ccb0dfc4f11541dbe86ee98f4e38bea
SHA15f93eee6c5138366c246cf2ede19e7d6138954b9
SHA25681621b751309dadd11124b63ea4e5f5cf02f8342c0ab924acbb1f5ca26552f4a
SHA512617417e6af54ee9a84c7cf2f1a0f663dcfabe6a1c549e5843e4a3659ae756db3511c0aeece279dfe413ac7674ec6a78036f8e44a92a4bb535dd31f15886d5568
-
Filesize
364KB
MD5ccdd71ea56ced6f9ad854e227620dae3
SHA111ccdd6038c937b4560915097c6f919d683ea35a
SHA256980530ea7c937049381d2334389903a338095dc81db1b6a5864a453f1fc87c98
SHA512a5d8e19a10b1b7bbd06e1323640f4dda085ffe9257f18b73331fde966e9af205b2effdeea9c20220f12eef5b980ab745b51a1cae521764ad4d4da906149ccc6c
-
Filesize
49.9MB
MD506d87d4c89c76cb1bcb2f5a5fc4097d1
SHA1657248f78abfa9015b77c431f2fd8797481478fd
SHA256f1e859d99072e35f20e172d8458e3ea1baf8ba86c8c9e311a0debcd2acd5d0fc
SHA51212bcc681544bfc0cb5f1a3c2e5e3d475efdf5abb8bf0e18cb18f529a82d551f39e16de2d3f0664c2c2cbfab2bc4702e256b958acadca53424e6d8760b6f457f9
-
Filesize
293KB
MD5df3669d9e0c8d6a697b79a8b8c173ac7
SHA1a2714fdbcc4dbf8fa4e1630471ffee64ff475fce
SHA25600eca1d75c97e11976a6e41e5a0c2a45839ce15d9a6dc96ecf8c873dabc58406
SHA512a5e82e7721da653d7d4d1fcd1dd4c4ff5948f034936d86789bfe5c0cb55394ba835b186b16a63c23d298d7f0bd2e435e06fafaf9242b6acc01d4a4bd85acba06
-
Filesize
223KB
MD559c0991dfbe10539ef99ee3b6fc225ef
SHA175f7121e632778e912a35af06df33175f6b55a7e
SHA25616f7be2b14ea9d2ae503b7660ac46c11c9d5b6b8d804d785b6df00e3177ae159
SHA51261cb91f911377b62914f041062e14464c28ad192bbbaed5ab8dc1920a55bbe5cef7338785f168892f2f9a00e59077428639c7aae27ee6062785d87667fb31a00
-
Filesize
164KB
MD5115a51b49553c1228eac134a0d08cc98
SHA1250fb89bdbf59c30dd964b3b801b8c7ef5fd05ae
SHA256687ea586302ceb265f7e4d6b4b2f06f435964db546d0cb24980cbfa5f580dadc
SHA512868d6d0e7090c4fb81b7793931a9825a808bd47f893853c45205ebca53d695217cec74204c1711273e7fd7e93c4701d07a82d4b881ee45eadbe49248dc95458c
-
Filesize
188KB
MD528954447b3b2a7da81819bdfc5d4d277
SHA1a59303b840883bfa6cbf7288f72e9e669700add7
SHA256e70ed4381312cc6fdef67cee0451189f8572098c11de47779aa6bcb49907cb8f
SHA5121f3919e37eb2377b5b2f9d32461141b73b70dc8d021fc78a685ff153c4f766dd3148a9d7de90ee18a80f71931907dccedb70e7bb0fa0bac48e3f674f77c800d4
-
Filesize
211KB
MD54a7dda6eebc98b0370452caa6134737c
SHA13e99f96bf1b87699602ed5ef59566266f4474276
SHA256ea69749b7566076118851453f5ede740356e217b84b4ff8677488b7a114d56be
SHA512fbb73941ab5b8fc811cd58f94f6608e3482807469f9b4f9cbc56dd98586e7aebb93be5a24bc5da0c210b7619cf91533c0f4ac5eaac075f9727b81b188d17f638
-
Filesize
176KB
MD5376e93af605ceff095ed259256cd6997
SHA1ce927e25546476366fa6805d9f454f20e048b831
SHA2563048ed134a9839ed1251d29994b912a86df2be44abcf5f7c81c931fe8c1efdab
SHA5127d14ea91826752fcd62ff088f5874dcdfbb925ee99a8eca50b42fb3bf15d104d85198b6d72db887080fc5b2e0de4971b2dc933b97930071013984800ab1ad024
-
Filesize
434KB
MD5c23b77221bdae82277a43c3c190ad187
SHA113476dcc88edfeddf215ef35c6efacd836925bd6
SHA25616aa266beb6481ede4c4511dfdfe2d9c4a99053de1effe2b7c0fc8055782da5e
SHA512eb310c81938d5b59b2b49cc253499b8c5dc1d8065f18a3f072f38229d8f721af21cedf2f623a539f5482547f4b4aec6572f636710d26fb044d14524498f1a0ec
-
Filesize
646KB
MD5d5fc94fdcb0fbb27cf52df4ef53922a7
SHA12b2014bf6a38812ce0851da39c8764c90536bdc0
SHA2567f8fae4a16bbf24aedf401a71cdefc3126e94f010279cc7a714ffea980713f2e
SHA5124a27e8f9e71a04ed4fe02ef35a26510b827da75d6f2b538670f499249a4358d2e48c7a2007d54b4ba85c0256e3b9c5dde3367d8967b458337783b9824835e766
-
Filesize
282KB
MD5295c9751b7285365b93ac3897038a2f3
SHA176fccb6e99069c8faf357e4b7846eaebeb9a6aa9
SHA256f46f4fef63b0f2ac63b85c38f84d6b61dfbf6956f9de7ae39e747f7bac911197
SHA512aa084c74ea626964d4e56f614722fd59c6b911d84f13b2d99f6d99ea74109dc3b411fc8eb2040b1af941176b286907b58002f67f190e36e0bc5fe2e14f1571c2
-
Filesize
411KB
MD5e855e5e463da14cd14d0274dae6a065b
SHA184c72f723e8d0f06e245790051bca8604101e42e
SHA25699291fcce15d929de1a221693cda5fac9f6736f6d56524104efbc22410d3b4d6
SHA5128d268ee34d57e0b9edc963a6f5b2ff0a0c734c2a1a10e065517390f8dc413716dfb7779714e1641b31e0c64cf2a94e4a453bfb11b1e16130c4283cf7b17ce429
-
Filesize
258KB
MD52e5a5f2a1fc45bea129dcc5c012e7e8f
SHA12d7d1c9142de6061f66fdf66940850945a406375
SHA25663b2052c61f4e53a5665bfb4fd719d27477b7a011931b705feab1945071b15b6
SHA512ade5b133b1a741a5a25e566357d4e551d65d9a4cc147adb0fa7b8d7f03b47c3f0009e673cb5551ec0d4efae6835beac09287a3a00abc85849e0681b794d79b03
-
Filesize
470KB
MD5f759455ab1983311e8e9e2cdd045f564
SHA156baa2d72e5257a01a51c2342fdc8ef69cdc3900
SHA256db6aff6cb6acabd5a45f9cf507b540be1ee6d0469b4e3e2de86320c1de373516
SHA512deaf1811acf2a3e1106da03c2f1b753b0ce31f06066fa33be80613ed6e579a21c77af8c1e2dfc9ac3b4c53e9e10424f44a62f5f84611d23c4c957b12bd296167
-
Filesize
17KB
MD546690034ed50088e2bf9b28a0b57c33a
SHA1d3171480f49ade09e037e35f1571a92a968c18f7
SHA2566bc32cc5a49771bfb3ad23b9e08fdddae78c42df84eb0e94580b771647bb210c
SHA51280916946572007fbd34488bc999d7e49d4e0dc147487fd0a7b89fad53711b18f6d7980ffc600ee2f711d5db1308fe93867795c394798b6dd776625a6a40a9e7f
-
Filesize
246KB
MD5e604551a3ab41769310e3d88751d241c
SHA192467efff23e74a232f7cd17438d53282f9a79ff
SHA25698d63be90181e0f5c27d995d7fb970787f3aa6d1b6fb16aa7b6d0e7ae3c7a889
SHA512523544ed496201ef528787677b02c2aa0ffaf547876b1ae6b99fc70342825b406295f21e12d3f517a0c048fd011ac3dbb3afaad1ca3a4c0c54b73aa117fcd1a4
-
Filesize
235KB
MD546ae11201cfcbf32f97ae678275e7f54
SHA1d109b019ba5e282436befeafa113f2ef87a552ab
SHA25680023c5a7be766b652039bf67e4cb345bcd9e19413c3adf27c3f24ac962a7be5
SHA51246249b210ad0a02ff0251216e15eef84111cdf2fbd1865381ff1cf3f57daec56abac2eddd4d5b5524dde6360bcabfac3c6c49dd1e502ad8e13d3834247688725
-
Filesize
423KB
MD562f02f52fced5ec691220d1ce258b707
SHA167612de0dd4721f0056a712ccd022ab8a3cc8f0a
SHA256f44464997460f3c0fa0b24db6ea1e4cd6c0d9818f5f391474f1fa99e193d6b18
SHA51241ff6b94f3aaa1a46bbf5850e86192de41614c8fbfa7b6e1fd694934ca10545ca318440842b2079136307475c82133ab03423c7c6eed2720eabf1f6e5c3b639c
-
Filesize
446KB
MD5cedd3f3b9c7d050f63cc6adacd9faa03
SHA15033a6c44771b0dc5cfcd7bf4ba665da5dfe72da
SHA2566f84bf40d61dc7e2cf699e22141546608cd072c8e94cad66a961512caccd3b80
SHA512f1d6df864bb4f609f725caad22d37c7cbe3ac628cf57b077269e2ad34b3821cd4a0449a108913b5fa872376adecfb3983040167898b8729f1ec2517ef6daf00a
-
Filesize
340KB
MD5a8490f933b538e469b700e4231629675
SHA1529ae8048a73df9385b274bf598b392baaf80e75
SHA256a3b565f1dd58b85bd2f8d86fe5b9914d00ec67e6dbe45a91bc4b393d0647573d
SHA51234d4af2d637c8230bc90e2a57409427002da3a3911c126b909f5f92e439aaa70418b2b9fd1966686ebd38dd8d0bb33334d18a7b3de4e8a23f6dcf27b99b108f1
-
Filesize
376KB
MD5f3673907f349140b5747e8fb0793103d
SHA189cb22956004cba7c48cfa3f933cbcd20b0a27a8
SHA256137d2080b50fd45ad174e3cbaad6f7be0af63a69a05a01952c306641308fce10
SHA512694afacd190afa184df19701be56c1719e97ab5beae580b27f784c77329ed740138a421f8c7f3260e874ad4c37c59c8281b40d1f7cd978d4481b87e23d9d8cd3
-
Filesize
18KB
MD598debf3f04b7af6fb99c2bf09af9ff73
SHA1d34e3d128658fd6ac24e851e7d65caaada440238
SHA256ba4d230f79582b2a3e64e1049a3694b36e0e1c9de77d9e5ecb782da5e4d7561f
SHA51259cfe65c9009463ac2ca55aa83dc1b8ba7d0e2354d5583b5215ff11647969237f1341ae813bb7b20d340cc13ff52e041e5a643a955abe2977658e6c79bd556da
-
Filesize
352KB
MD5a03c99cf71ec36117aecc42bfed24f48
SHA10c021b164338b77a03a546a2608fd6ce5a7aed06
SHA256ec388a8fcb1d6dec29149b7298d7d31d786ec090522ae7d2268a443e58e01e6b
SHA512e1f2198e507e4085a3f90d9760886c9c46a0204aa66180c8e7a6639186a3a126fae06c420fc1f4bbf71c59043fb97b5d1d04ff6e3da823f79cddbca52301614d
-
Filesize
305KB
MD5568bce2b42a20f84fb90a58ff84219d0
SHA1197fc5c9f250824620288bd814bd79ed5dc62c1f
SHA256f2a881cc7cdae0ad4c08661d06f40ede5c53746be79a3116a2e456e217516ad4
SHA512cbd965758ed6cea4a5f84680eeb9ee6e64e6bd012863bf323712e3158becfab8d031b929ff1e525429ef6e04142d395da3f67a58a111d84efe3dc48a3eca924c
-
Filesize
458KB
MD585dd1a97f56e39b9612ddb2c47a9ac30
SHA16068c6a30eeab4d6ea333ee3cc3f52fd36c2a7aa
SHA25680650a9dda26c6bbc37712b8ad4872231f81361592f3242522a8131ef2491ac4
SHA512b9c5a779d55ed9e1b5b4832a67db537a35a8f38f0c3155ca22395f425c65c879dc4a277e9baea605008eaad8e1b41998ff9181cd193ff9536fa83d5aa298daf4
-
Filesize
199KB
MD5cd0b0da2939f80c18b99e4019688d594
SHA198f68b3299df545bdadfa5bf4ab86f22958ce0ab
SHA25652a2ebf5900019482ad32f8ed6666e8f8cc7d189928b87f392b634a2b7e64e25
SHA5126c116c0321b5afcbd6aab4e006e726d90a4c0334b36d3f805aeb2aed96284450372fe8e7fe2298a47a84be992c5553d8212ae94eaa4591e889ded5fa095d5fff
-
Filesize
329KB
MD58550979f5d83c1a2cfb909c7db2354c5
SHA155e5f4266aaddbbf6f4c85644ad31d49a068130f
SHA2564b00b298d3fa9373a482967eb34f76b2a4386007eab4bae4ecf56e29913be121
SHA5128fefcf05eef8bac75e2f59471b71eca0dafea3fdfb0fc3f4291488d2f0253b8500062ddde3932fc43e28a2427f6b26241682d4c4ad4900ec5a0357fcfb607586
-
Filesize
399KB
MD5367dce21cb1524db260369dbaadd6d60
SHA1e1f7a8c72b8e2e1a892bf8a613ce844e3c880fef
SHA25678213c9f5bf96daa705eb891dbd12abbf322f92bf378116460246fbd8effe983
SHA512c6ef2498be302279b79f28540f964c4bb8fc7f02718db3d561890f82415b19df22815d57fd614777d76495815480bf56ec702cd2c3b5a6208668b54dfbbb86ca
-
Filesize
387KB
MD5ec2be0ebd6ed66ea9a4cc4281eca30c6
SHA1e5823adf4cc50522447e32a7ef9d6602bcef2c0c
SHA256917f4d758fbc60d045cd5d93b6126c7ba83ad6e6d36ac675a50950fb902a887f
SHA512e5bf957bdfe4af33fc37110678b0dbaeb0347de7326e04c7125512334a262e924c3c37ed99160c7d59981f3f0090149fb31b6ac4b0055205c8eb830ba2ea6c6d
-
Filesize
31KB
MD53e163a4f94d9b3d73c1da6d9582c6a17
SHA137274ec4c201ca60453b74139cf7aa2dbad51071
SHA256757dbd855a3a6c8ca108bd9eb006ac6bc36a7d4f054ca7d86bc915535eb259dd
SHA51264bf3daa530d9b4ae8e2ada2db42e31e6f4b5f0e4413eccd3a5e3b8a3729f2ee8f5c1467c9edc7cc40e1afb53768154d0e0245329176ee2f271ca1060b6fa4da
-
Filesize
49.8MB
MD565259c11e1ff8d040f9ec58524a47f02
SHA12d5a24f7cadd10140dd6d3dd0dc6d0f02c2d40fd
SHA256755bd7f1fc6e93c3a69a1125dd74735895bdbac9b7cabad0506195a066bdde42
SHA51237096eeb1ab0e11466c084a9ce78057e250f856b919cb9ef3920dad29b2bb2292daabbee15c64dc7bc2a48dd930a52a2fb9294943da2c1c3692863cec2bae03d
-
Filesize
15KB
MD5000f4890c77397f9c6a7dd14e7b3df21
SHA1a350f84031ab53a8fa82a08399de8acd991f5b59
SHA256a4403e61cd1dcf5c90972bb53279eee9bd7fa433a08fe4fd58b0e99557606d17
SHA5127333e8dcf8ce1d7ea361db179a3c1bd70793c715e455b855a4f4cdf6d56eaadfaf56c3110371a34afbdbbaa30e24c6f43b7f3bee4d3e0eba866b574111c7dc2b
-
Filesize
2.3MB
MD51b54b70beef8eb240db31718e8f7eb5d
SHA1da5995070737ec655824c92622333c489eb6bce4
SHA2567d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb
SHA512fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb
-
Filesize
482KB
MD523841987bd74c46b47729c083846ccdf
SHA11266b1410a3117ee61985beff945446de5c31065
SHA25604d7585614c33f39a84d90f555332c2561ae78e366075524e37cd2470791b022
SHA512e8c6d5e7a11c3e1031ad0b68c8f3c5ff323856f0239d0ea834e1d17f8908b33b9f3353f19a6368a08bfd0f0d1e0f85553c397e9c9474a4a4fe5e4b28376d67a7
-
Filesize
1KB
MD5b9c64d90b8c6431729bd42345553157f
SHA19d32b8456d2e4334140b16c8e3f5b44416de4b1c
SHA25657fe0dae4545fe2cf5a3db1bfdf582961ded2cbdd3d4a521f3d46612d0b655fe
SHA51275469f8c8cd6bf654f1aa7212557f2e2c5d1c032ebd0eb514dde712734d80b9f2243f92b1e2d68372a8e9ba0108dd4106ff652c9a192fe604a2d722ec869d028
-
Filesize
2KB
MD531d1513128a0d3e21d92d532faeed7b2
SHA14c2de145f5799652688edfa4409307b2dce41311
SHA25611d68271ca489b9dfa8e99a0481c01321f81f112a8aa7eccb205582adefa6784
SHA512d9907800908d4fb4534ea44c1842ea1f5ff242b8e99685ece2dbdbc9f6cb53ae4711c540a71fa507fd92ea79c2aec585ba135866f3b8867c68b801f164a65641
-
Filesize
878B
MD5689fa6f6c7947af06af51af67597e137
SHA1f46bea57602f343703ae7c4ab8f42f4e144916e0
SHA25673c142cfe2b34fdf1b7465e363b08056427f02a557ce082ce9cc01b054dadd93
SHA512d3ed06dd6ae85eb59d2de420437f8b1ec7128ab107c6eaa6ca7e77bfa1604c04852131066c8ceb2d958927d3d6999cd97d00bffa239f442738717a9d8241827c
-
Filesize
58KB
MD5126b75d50756fe204283d418ae1a66df
SHA183bbb6b142db7351c5547fbe46df56c8cc596aef
SHA2563d12addcfd4d7233c787101c848fd1d7a62b6b6386fb2043b3d8f45502950312
SHA512b782c79e2428eba1d8035a36582ccbbaf2fc3e605720fa4cb9a1d135edfe971034cc39f48d271e5ea1096ee7043b5024f7c73135703b54d88e7cae1877728d16
-
Filesize
64KB
MD5e382ec1c184e7d7d6da1e0b3eacfa84b
SHA19a0d95eb339774874f4f0da35d10fd326438b56c
SHA256786d95dc0d59089e14055385cce8765888f55236b5220fdfd28cf2d9b07e63ee
SHA512019bcb4f41b5bc5853db2fa528ef126e839c5b0d0dc096dd441ba02d8c71e7913efd16b74aed93952ad2cc5422b151c12d3017fc22a65ae5ce2e7e1fc72a396c
-
Filesize
8KB
MD5526bcf713fe4662e9f8a245a3a57048f
SHA1cf0593c3a973495c395bbce779aef8764719abf7
SHA256c8190f45d62c5c03013ffc66b3f9bf60f52a32464fa271d2fad5fd10432da606
SHA512df7e93617461c2fd25b5b684311126e66b7cf9f1ecfbf4c8a944f65fb2c904194ec635a9c7b962d4583ea77b0312435c7dc1b5ecbcb1fb3a5a74fc1eb2c21d04
-
Filesize
5.0MB
MD51fd2907e2c74c9a908e2af5f948006b5
SHA1a390e9133bfd0d55ffda07d4714af538b6d50d3d
SHA256f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95
SHA5128eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171
-
Filesize
4.0MB
MD549654a47fadfd39414ddc654da7e3879
SHA19248c10cef8b54a1d8665dfc6067253b507b73ad
SHA256b8112187525051bfade06cb678390d52c79555c960202cc5bbf5901fbc0853c5
SHA512fa9cab60fadd13118bf8cb2005d186eb8fa43707cb983267a314116129371d1400b95d03fbf14dfdaba8266950a90224192e40555d910cf8a3afa4aaf4a8a32f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
7.8MB
MD5c3b0a56e48bad8763e93653902fc7ccb
SHA1d7048dcf310a293eae23932d4e865c44f6817a45
SHA256821a16b65f68e745492419ea694f363926669ac16f6b470ed59fe5a3f1856fcb
SHA512ae35f88623418e4c9645b545ec9e8837e54d879641658996ca21546f384e3e1f90dae992768309ac0bd2aae90e1043663931d2ef64ac541977af889ee72e721a
-
Filesize
796KB
MD58a30bd00d45a659e6e393915e5aef701
SHA1b00c31de44328dd71a70f0c8e123b56934edc755
SHA2561e2994763a7674a0f1ec117dae562b05b614937ff61c83b316b135afab02d45a
SHA512daf92e61e75382e1da0e2aba9466a9e4d9703a129a147f0b3c71755f491c68f89ad67cfb4dd013580063d664b69c8673fb52c02d34b86d947e9f16072b7090fb
-
Filesize
2.5MB
MD573feeab1c303db39cbe35672ae049911
SHA1c14ce70e1b3530811a8c363d246eb43fc77b656c
SHA25688c03817ae8dfc5fc9e6ffd1cfb5b829924988d01cd472c1e64952c5398866e8
SHA51273f37dee83664ce31522f732bf819ed157865a2a551a656a7a65d487c359a16c82bd74acff2b7a728bb5f52d53f4cfbea5bef36118128b0d416fa835053f7153
-
Filesize
3.2MB
MD593f3ed21ad49fd54f249d0d536981a88
SHA1ffca7f3846e538be9c6da1e871724dd935755542
SHA2565678fd744faddb30a87568ae309066ef88102a274fff62f10e4963350da373bc
SHA5127923556c6d6feb4ff4253e853bae3675184eab9b8ce4d4e07f356c8624317801ee807ad5340690196a975824ea3ed500ce6a80c7670f19785139be594fa5e70f
-
Filesize
1.0MB
MD512c2755d14b2e51a4bb5cbdfc22ecb11
SHA133f0f5962dbe0e518fe101fa985158d760f01df1
SHA2563b6ccdb560d7cd4748e992bd82c799acd1bbcfc922a13830ca381d976ffcccaf
SHA5124c9b16fb4d787145f6d65a34e1c4d5c6eb07bff4c313a35f5efa9dce5a840c1da77338c92346b1ad68eeb59ef37ef18a9d6078673c3543656961e656466699cf
-
Filesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
Filesize
997KB
MD53f8f18c9c732151dcdd8e1d8fe655896
SHA1222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7
-
Filesize
472KB
MD5ce9216b52ded7e6fc63a50584b55a9b3
SHA127bb8882b228725e2a3793b4b4da3e154d6bb2ea
SHA2568e52ef01139dc448d1efd33d1d9532f852a74d05ee87e8e93c2bb0286a864e13
SHA512444946e5fc3ea33dd4a09b4cbf2d41f52d584eb5b620f5e144de9a79186e2c9d322d6076ed28b6f0f6d0df9ef4f7303e3901ff552ed086b70b6815abdfc23af7
-
Filesize
320KB
MD548c35ed0a09855b29d43f11485f8423b
SHA146716282cc5e0f66cb96057e165fa4d8d60fbae2
SHA2567a0418b76d00665a71d13a30d838c3e086304bacd10d764650d2a5d2ec691008
SHA512779938ec9b0f33f4cbd5f1617bea7925c1b6d794e311737605e12cd7efa5a14bbc48bee85208651cf442b84133be26c4cc8a425d0a3b5b6ad2dc27227f524a99
-
Filesize
288KB
MD57303efb737685169328287a7e9449ab7
SHA147bfe724a9f71d40b5e56811ec2c688c944f3ce7
SHA256596f3235642c9c968650194065850ecb02c8c524d2bdcaf6341a01201e0d69be
SHA512e0d9cb9833725e0cdc7720e9d00859d93fc51a26470f01a0c08c10fa940ed23df360e093861cf85055b8a588bb2cac872d1be69844a6c754ac8ed5bfaf63eb03