faf6dd2652f889431407df47b973dcdfa1d4c790bead60e75b123ea8964cb36e

Resubmissions

01-12-2024 00:18

241201-al5wbsvkcr 8

01-12-2024 00:16

241201-akx44azme1 10

30-11-2024 23:57

241130-3zr6lstqdl 8

Analysis

max time kernel
869s
max time network
1103s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anmerkung 2024-01-18 231511.png
Size

321KB
MD5

921e48fd77add10603c4b4fa4833b3b1
SHA1

702e4a5887419373aeee0db9e41887d52d796bb3
SHA256

faf6dd2652f889431407df47b973dcdfa1d4c790bead60e75b123ea8964cb36e
SHA512

116bb75bde4c692e98cc0735694edb2e0f90b7ed397753b8481a2747fce8bcf43b221d8e955a95941df588091d853214a10c4a347aa798ac60f046cc11ec6a7d
SSDEEP

6144:3iAw0Kz4kgawmXR7RYTwX7DprHlk5+kF1+4TXTYPyNmUZyzeCzGYGfKJrTpWqaJw:XSprXR9Y0FHlk4krFTXMyNmUgiCzGYGw

Score

8^/10

defense_evasion discovery evasion exploit persistence phishing privilege_escalation trojan

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe

Downloads MZ/PE file

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
4132	takeown.exe
4876	Process not Found
4876	Process not Found
7640	Process not Found
7616	Process not Found
7728	Process not Found
6392	takeown.exe
3792	icacls.exe
2960	Process not Found
7008	Process not Found
8132	Process not Found
3680	Process not Found
5320	Process not Found
1048	Process not Found
5104	Process not Found
4512	Process not Found
5108	Process not Found
7332	Process not Found
2172	Process not Found
3104	Process not Found
5128	Process not Found
1216	Process not Found
5996	Process not Found
4320	Process not Found
5712	Process not Found
5344	Process not Found
5132	Process not Found
3724	Process not Found
5588	Process not Found
5028	Process not Found
3724	Process not Found
5800	Process not Found
2448	Process not Found
5312	Process not Found
2484	Process not Found
960	Process not Found
1060	icacls.exe
1916	Process not Found
3476	Process not Found
5488	Process not Found
4728	Process not Found
2844	Process not Found
5896	Process not Found
3936	Process not Found
6896	Process not Found
4356	Process not Found
4220	Process not Found
6808	Process not Found
6576	Process not Found
6356	Process not Found
2964	Process not Found
5808	takeown.exe
2740	Process not Found
5932	Process not Found
6896	Process not Found
3816	Process not Found
1768	Process not Found
2092	Process not Found
2536	Process not Found
4460	Process not Found
5932	Process not Found
2960	Process not Found
1176	Process not Found
5588	Process not Found

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-14.0.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	firefox.exe

Executes dropped EXE 55 IoCs

pid	Process
4996	tor-browser-windows-x86_64-portable-14.0.3.exe
4972	firefox.exe
4796	firefox.exe
5056	firefox.exe
2956	firefox.exe
1284	firefox.exe
1652	tor.exe
788	firefox.exe
824	firefox.exe
6216	firefox.exe
6696	firefox.exe
6728	firefox.exe
6776	firefox.exe
6260	firefox.exe
2344	firefox.exe
6224	firefox.exe
6428	firefox.exe
6856	firefox.exe
4748	firefox.exe
5480	firefox.exe
7144	firefox.exe
4488	firefox.exe
2000	firefox.exe
396	firefox.exe
1896	firefox.exe
6720	firefox.exe
3968	firefox.exe
6592	firefox.exe
4024	firefox.exe
4792	firefox.exe
3832	firefox.exe
3328	firefox.exe
1492	firefox.exe
3596	firefox.exe
3640	firefox.exe
436	firefox.exe
6928	firefox.exe
3696	firefox.exe
1576	firefox.exe
2756	firefox.exe
2092	firefox.exe
5044	firefox.exe
5800	firefox.exe
1724	firefox.exe
5900	firefox.exe
3712	firefox.exe
6468	Bonzify.exe
2628	Bonzify.exe
5588	INSTALLER.exe
4368	AgentSvr.exe
4544	INSTALLER.exe
1916	INSTALLER.exe
6628	AgentSvr.exe
5464	INSTALLER.exe
1056	AgentSvr.exe

Loads dropped DLL 64 IoCs

pid	Process
4996	tor-browser-windows-x86_64-portable-14.0.3.exe
4996	tor-browser-windows-x86_64-portable-14.0.3.exe
4996	tor-browser-windows-x86_64-portable-14.0.3.exe
4972	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
2956	firefox.exe
2956	firefox.exe
2956	firefox.exe
2956	firefox.exe
2956	firefox.exe
1284	firefox.exe
1284	firefox.exe
1284	firefox.exe
1284	firefox.exe
1284	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
1284	firefox.exe
1284	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
6216	firefox.exe
6216	firefox.exe
6216	firefox.exe
6216	firefox.exe
6216	firefox.exe
824	firefox.exe
824	firefox.exe
6216	firefox.exe
6216	firefox.exe
788	firefox.exe
788	firefox.exe
6696	firefox.exe
6696	firefox.exe
6696	firefox.exe
6696	firefox.exe
6696	firefox.exe
6728	firefox.exe
6776	firefox.exe
6776	firefox.exe
6776	firefox.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2536	Process not Found
616	Process not Found
3592	Process not Found
6968	Process not Found
3700	Process not Found
6888	Process not Found
2404	takeown.exe
5344	Process not Found
5236	Process not Found
5900	takeown.exe
4436	Process not Found
6632	Process not Found
6844	Process not Found
3652	Process not Found
6684	Process not Found
3864	Process not Found
6832	Process not Found
7516	Process not Found
5600	Process not Found
1820	Process not Found
732	Process not Found
4020	Process not Found
6696	Process not Found
7952	Process not Found
6956	takeown.exe
5684	Process not Found
3172	Process not Found
6812	Process not Found
5344	Process not Found
5220	Process not Found
2344	Process not Found
2632	Process not Found
4876	Process not Found
4200	Process not Found
7320	Process not Found
3124	Process not Found
2652	Process not Found
1052	Process not Found
3636	Process not Found
3292	Process not Found
4504	Process not Found
8168	Process not Found
8148	Process not Found
7284	Process not Found
4508	Process not Found
4932	Process not Found
5984	Process not Found
5100	Process not Found
2940	Process not Found
6776	Process not Found
3276	Process not Found
3504	Process not Found
1916	Process not Found
6712	Process not Found
6940	Process not Found
7688	Process not Found
6196	Process not Found
6576	Process not Found
6832	Process not Found
4512	Process not Found
6888	Process not Found
2996	Process not Found
5712	Process not Found
6936	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
831	raw.githubusercontent.com
832	raw.githubusercontent.com
833	raw.githubusercontent.com
834	raw.githubusercontent.com

Power Settings 1 TTPs 6 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
7136	Process not Found
1052	Process not Found
4412	Process not Found
6032	Process not Found
6824	Process not Found
4044	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SETAD9B.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SETAD9B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\help\SETA9F7.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETAD87.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SETAD88.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETB048.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File created	C:\Windows\msagent\SETA9E4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SETA9F8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETAD9A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\help\SETB07E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETA9F9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETA9F6.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETB0A0.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETA9CD.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETAD86.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SETB08F.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETA9CE.tmp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SETA9F8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETA9E3.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETA9E3.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\SETA9E2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETB047.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETB046.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\INF\SETB07C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETA9CE.tmp	INSTALLER.exe
File created	C:\Windows\INF\SETA9E5.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETB048.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETB07D.tmp	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\INF\SETA9E5.tmp	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File created	C:\Windows\msagent\SETB04A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETB382.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETAD86.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SETAD89.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETB392.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETA9DF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETB049.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETB0A0.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETA9F9.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETB047.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETB049.tmp	INSTALLER.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.3.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe

Access Token Manipulation: Create Process with Token 1 TTPs 8 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2200	Process not Found
6392	Process not Found
6960	Process not Found
4772	Process not Found
2116	Process not Found
4412	Process not Found
4600	Process not Found
3640	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4132	5624	Process not Found	9369

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALLER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4232	Process not Found
4524	Process not Found
4876	Process not Found
7048	cmd.exe
6476	Process not Found
5320	Process not Found
6312	Process not Found
6512	Process not Found
6700	Process not Found
5220	Process not Found
6524	Process not Found
6580	Process not Found
4412	Process not Found
4220	cmd.exe
5604	Process not Found
6888	Process not Found
5996	Process not Found
2904	Process not Found
6760	Process not Found
3188	Process not Found
4272	Process not Found
2312	Process not Found
6488	Process not Found
2980	Process not Found
6340	Process not Found
780	Process not Found
2200	Process not Found
2000	Process not Found
5128	Process not Found
4920	Process not Found

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6420	taskkill.exe
6216	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCommands"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ = "IAgentCtlEx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacters"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileType\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentCtl.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCommand"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentDPv.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\HELPDIR	AgentSvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0\ = "Microsoft Agent Server 2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FA9F4D5-A173-11D1-AA62-00C04FA34D72}\ = "Microsoft Agent Voice Command Module Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID\ = "Agent.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ = "IAgentCtlCharacterEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCharacter"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\shellex\PropertySheetHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F}\TreatAs\ = "{D45FD2FF-5C6E-11D1-9EC1-00C04FD7081F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputProperties"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\DefaultIcon\ = "C:\\Windows\\msagent\\AgentDPv.dll,-201"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FA9F4D5-A173-11D1-AA62-00C04FA34D72}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\ProgID\ = "Agent.Server.2"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\DefaultIcon\ = "C:\\Windows\\msagent\\AgentDP2.dll,-201"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FF-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.3.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\IMG_bLwO:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzi.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4872	mspaint.exe
4872	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5316	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	6420	taskkill.exe
Token: SeDebugPrivilege	6216	taskkill.exe
Token: SeTakeOwnershipPrivilege	7120	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	6968	takeown.exe
Token: SeTakeOwnershipPrivilege	6256	takeown.exe
Token: SeTakeOwnershipPrivilege	2788	takeown.exe
Token: SeTakeOwnershipPrivilege	4528	takeown.exe
Token: SeTakeOwnershipPrivilege	3924	takeown.exe
Token: SeTakeOwnershipPrivilege	1612	takeown.exe
Token: SeTakeOwnershipPrivilege	960	takeown.exe
Token: SeTakeOwnershipPrivilege	6444	takeown.exe
Token: SeTakeOwnershipPrivilege	5168	takeown.exe
Token: 33	1056	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	1056	AgentSvr.exe
Token: SeTakeOwnershipPrivilege	2244	takeown.exe
Token: SeTakeOwnershipPrivilege	2476	takeown.exe
Token: SeTakeOwnershipPrivilege	2480	takeown.exe
Token: SeTakeOwnershipPrivilege	6940	takeown.exe
Token: SeTakeOwnershipPrivilege	6636	takeown.exe
Token: SeTakeOwnershipPrivilege	1068	takeown.exe
Token: SeTakeOwnershipPrivilege	5352	takeown.exe
Token: SeTakeOwnershipPrivilege	4760	takeown.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeTakeOwnershipPrivilege	2604	takeown.exe
Token: SeTakeOwnershipPrivilege	5440	takeown.exe
Token: SeTakeOwnershipPrivilege	3644	takeown.exe
Token: SeTakeOwnershipPrivilege	6372	takeown.exe
Token: SeTakeOwnershipPrivilege	5588	takeown.exe
Token: SeTakeOwnershipPrivilege	2536	takeown.exe
Token: SeTakeOwnershipPrivilege	7120	takeown.exe
Token: SeTakeOwnershipPrivilege	5808	takeown.exe
Token: SeTakeOwnershipPrivilege	5300	takeown.exe
Token: SeTakeOwnershipPrivilege	5904	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	3792	takeown.exe
Token: SeTakeOwnershipPrivilege	1612	takeown.exe
Token: 33	1652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1652	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
1056	AgentSvr.exe
1056	AgentSvr.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
1056	AgentSvr.exe
1056	AgentSvr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4872	mspaint.exe
4872	mspaint.exe
4872	mspaint.exe
4872	mspaint.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5316	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 4872	2944	cmd.exe	81
PID 2944 wrote to memory of 4872	2944	cmd.exe	81
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1692 wrote to memory of 1736	1692	firefox.exe	95
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 1124	1736	firefox.exe	96
PID 1736 wrote to memory of 2328	1736	firefox.exe	97
PID 1736 wrote to memory of 2328	1736	firefox.exe	97
PID 1736 wrote to memory of 2328	1736	firefox.exe	97
PID 1736 wrote to memory of 2328	1736	firefox.exe	97
PID 1736 wrote to memory of 2328	1736	firefox.exe	97
PID 1736 wrote to memory of 2328	1736	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Anmerkung 2024-01-18 231511.png"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Anmerkung 2024-01-18 231511.png"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11f31b80-7cb8-41ec-b95b-ae5d438e2e10} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" gpu
    3⤵
    PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2404 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22383362-8e5e-4de3-a787-4ae643603d44} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" socket
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3196 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20857dd4-5a14-46d8-b607-f0bada5bff19} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:4404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -childID 2 -isForBrowser -prefsHandle 4324 -prefMapHandle 4084 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b6bfb78-cddb-4c37-a010-9573e834cc7f} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:1204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01cf821b-af9d-4bc8-85cd-40abf380b573} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" utility
    3⤵
    - Checks processor information in registry
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5304 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6d30f1f-2dde-414c-bf97-fd8c444b3abc} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:5716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5747ba8-7456-4555-8f5a-abf771f5536d} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5420 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7ae1170-6cfa-43f8-9572-fdd5e9208dea} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6312 -childID 6 -isForBrowser -prefsHandle 6308 -prefMapHandle 6304 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52dc483c-8c1c-4568-96e9-e5d085211910} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:4632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 7 -isForBrowser -prefsHandle 5504 -prefMapHandle 5452 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32962d8a-fee7-43aa-844e-746945275849} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:6084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 8 -isForBrowser -prefsHandle 6652 -prefMapHandle 6656 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b6e6eb-1756-4fdf-96f2-265738b35fdb} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:6140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6452 -childID 9 -isForBrowser -prefsHandle 6676 -prefMapHandle 6268 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cbd07a3-8705-41de-a881-d7365e023853} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -childID 10 -isForBrowser -prefsHandle 4472 -prefMapHandle 3508 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {642b85b2-c78f-47c0-8fcf-08096b9a041e} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:4300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 11 -isForBrowser -prefsHandle 5528 -prefMapHandle 5932 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6626ee43-7aa7-47c1-bc72-9b821289aec6} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 12 -isForBrowser -prefsHandle 1408 -prefMapHandle 1432 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce87da9a-53c0-4a02-9b54-326e6c0e5b58} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:5164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7668 -childID 13 -isForBrowser -prefsHandle 5192 -prefMapHandle 1280 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2513478-0399-4009-a92e-5c979375659b} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7944 -childID 14 -isForBrowser -prefsHandle 7936 -prefMapHandle 7932 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60caed9d-b84b-48d3-95d7-f9ff385e4e14} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:6736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8044 -childID 15 -isForBrowser -prefsHandle 8160 -prefMapHandle 8164 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34664f27-e7ae-452b-bf42-c6cbf8c21aa2} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8188 -childID 16 -isForBrowser -prefsHandle 8028 -prefMapHandle 8112 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae1887a0-582b-446e-afc6-ecea2082fb3e} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7688 -childID 17 -isForBrowser -prefsHandle 8272 -prefMapHandle 7980 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64a25563-a606-4fca-96b9-09259da31143} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:7092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8536 -childID 18 -isForBrowser -prefsHandle 8624 -prefMapHandle 8628 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c24227c-c421-4619-8d27-172030c019cb} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8856 -childID 19 -isForBrowser -prefsHandle 8988 -prefMapHandle 8984 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dd2537d-2052-46b2-91b4-42171a0b548c} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:1272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7920 -childID 20 -isForBrowser -prefsHandle 9108 -prefMapHandle 9104 -prefsLen 28324 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a491d154-e7e7-4502-a84b-2c5cb5efb011} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:7132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3308

C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.3.exe
"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4996
- C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
  "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4972
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4796
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2492 -parentBuildID 20241125154204 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 21012 -prefMapSize 252047 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {01d763ed-ea6c-4e58-aff1-27c85bf445f1} 4796 gpu
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5056
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2076 -childID 1 -isForBrowser -prefsHandle 2260 -prefMapHandle 1896 -prefsLen 21821 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e593a338-f5a9-4831-b76d-8a3624bf57e4} 4796 tab
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2956
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:6145c42d55f557c6602b4b436a5c156ab17c35f0335355f840706233c2 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 4796 DisableNetwork 1
      4⤵
      Executes dropped EXE
      PID:1652
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3084 -childID 2 -isForBrowser -prefsHandle 3076 -prefMapHandle 3068 -prefsLen 22592 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dcb900bc-8417-4f4d-a35d-2f9e044d223a} 4796 tab
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1284
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3264 -childID 3 -isForBrowser -prefsHandle 3268 -prefMapHandle 3272 -prefsLen 22705 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d279b67b-c178-4f93-944a-73dae5266df2} 4796 tab
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:788
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3816 -parentBuildID 20241125154204 -sandboxingKind 0 -prefsHandle 3468 -prefMapHandle 3024 -prefsLen 25334 -prefMapSize 252047 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {88839ab5-e1f5-4612-b67f-ec18fe76876b} 4796 utility
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      PID:824
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4068 -parentBuildID 20241125154204 -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 25414 -prefMapSize 252047 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {54d43727-7309-48c9-b3d6-ad15c9a9375c} 4796 rdd
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6216
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1880 -childID 4 -isForBrowser -prefsHandle 1856 -prefMapHandle 3096 -prefsLen 24349 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9ffc41ac-0e39-42b8-a943-60c446de6011} 4796 tab
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6696
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4444 -childID 5 -isForBrowser -prefsHandle 1880 -prefMapHandle 4292 -prefsLen 24349 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {381b3224-cd4a-4306-9f43-3b1549fd85eb} 4796 tab
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6728
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4564 -childID 6 -isForBrowser -prefsHandle 4640 -prefMapHandle 4636 -prefsLen 24349 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b814059a-3e7b-46ff-a631-d2fd71f63c69} 4796 tab
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6776
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4436 -childID 7 -isForBrowser -prefsHandle 2384 -prefMapHandle 4232 -prefsLen 25058 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7c1997b5-19f0-4f82-9c16-a5464cb906a2} 4796 tab
      4⤵
      Executes dropped EXE
      PID:6260
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4344 -childID 8 -isForBrowser -prefsHandle 1884 -prefMapHandle 4320 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c91bdbb5-4c89-40e6-a3c3-e8b234e26db1} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2344
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5236 -childID 9 -isForBrowser -prefsHandle 5200 -prefMapHandle 5188 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8988b394-7ad3-4dff-aea1-dfa223762401} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6224
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5084 -childID 10 -isForBrowser -prefsHandle 4996 -prefMapHandle 4384 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2345776c-0a58-4d80-a90c-ecd5c32ab3b1} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6428
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2040 -childID 11 -isForBrowser -prefsHandle 1388 -prefMapHandle 1380 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2672fc97-b89c-4029-94a7-f5351ea1ebd5} 4796 tab
      4⤵
      Executes dropped EXE
      PID:6856
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1712 -childID 12 -isForBrowser -prefsHandle 3324 -prefMapHandle 2224 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a0073682-a411-4600-8e4f-5407d0d7c3bd} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4748
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4312 -childID 13 -isForBrowser -prefsHandle 5340 -prefMapHandle 2388 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {fc8b443a-6967-489f-8e1e-94d352100e33} 4796 tab
      4⤵
      Executes dropped EXE
      PID:5480
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5572 -childID 14 -isForBrowser -prefsHandle 5576 -prefMapHandle 5464 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {11b6bfaf-f4fa-4e41-80e9-b39e0c39854a} 4796 tab
      4⤵
      Executes dropped EXE
      PID:7144
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5252 -childID 15 -isForBrowser -prefsHandle 5060 -prefMapHandle 4408 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {75680284-9b59-4aa4-b4d4-10d223047b06} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4488
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4764 -childID 16 -isForBrowser -prefsHandle 4504 -prefMapHandle 4488 -prefsLen 25133 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {eee4e1d0-b368-49ec-9972-025a20934377} 4796 tab
      4⤵
      Executes dropped EXE
      PID:2000
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3472 -childID 17 -isForBrowser -prefsHandle 3120 -prefMapHandle 3108 -prefsLen 26709 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f6c35656-56e8-4b82-97fd-4cd1ee95fdef} 4796 tab
      4⤵
      Executes dropped EXE
      PID:396
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3192 -childID 18 -isForBrowser -prefsHandle 5520 -prefMapHandle 5296 -prefsLen 26709 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a22139b1-b9f7-4153-a61c-38ea20c08eee} 4796 tab
      4⤵
      Executes dropped EXE
      PID:1896
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5696 -childID 19 -isForBrowser -prefsHandle 5904 -prefMapHandle 5964 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d9049fbe-0915-401a-8127-012467276a25} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6720
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=6016 -childID 20 -isForBrowser -prefsHandle 6032 -prefMapHandle 3184 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {61117cfd-f306-41d4-8ded-f30cb08eaaed} 4796 tab
      4⤵
      Executes dropped EXE
      PID:3968
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4252 -childID 21 -isForBrowser -prefsHandle 5620 -prefMapHandle 5608 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b244b727-020f-4ca9-8fa2-ccde75b7819b} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6592
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4796 -childID 22 -isForBrowser -prefsHandle 5564 -prefMapHandle 5596 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d0b71cd2-e99f-4dc9-a195-f760509b916b} 4796 tab
      4⤵
      Executes dropped EXE
      PID:4024
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5780 -childID 23 -isForBrowser -prefsHandle 5116 -prefMapHandle 4024 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a13bb5f8-c8a1-4d7f-96cb-57976e139671} 4796 tab
      4⤵
      Executes dropped EXE
      PID:4792
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5212 -childID 24 -isForBrowser -prefsHandle 3264 -prefMapHandle 6140 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {14020c80-0fe5-4a07-8ca6-cddb63b19c1e} 4796 tab
      4⤵
      Executes dropped EXE
      PID:3832
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4428 -childID 25 -isForBrowser -prefsHandle 5296 -prefMapHandle 3480 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dc030ed4-a1fa-4d00-be64-4c89b4ac8b5d} 4796 tab
      4⤵
      Executes dropped EXE
      PID:3328
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5956 -childID 26 -isForBrowser -prefsHandle 5920 -prefMapHandle 5636 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {56adaf00-d019-4cb4-89ec-07df52175278} 4796 tab
      4⤵
      Executes dropped EXE
      PID:1492
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5988 -childID 27 -isForBrowser -prefsHandle 5920 -prefMapHandle 2188 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c3f84aa2-2ef4-478f-959b-abd289f6cbaf} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3596
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5552 -childID 28 -isForBrowser -prefsHandle 5620 -prefMapHandle 5836 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {cac2d14e-ebfa-4e08-b26e-bde5346c5abf} 4796 tab
      4⤵
      Executes dropped EXE
      PID:3640
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5604 -childID 29 -isForBrowser -prefsHandle 5340 -prefMapHandle 5100 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {234f3a3f-9da4-4b19-b3ea-4c9cb4a9d751} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:436
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2192 -childID 30 -isForBrowser -prefsHandle 4444 -prefMapHandle 1932 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {278e12bc-e63a-419f-b8a1-2a4d5c6f7bbc} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6928
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5836 -childID 31 -isForBrowser -prefsHandle 3876 -prefMapHandle 4548 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {db35975a-5ea6-4ae3-ae43-ae4c5b72c966} 4796 tab
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3696
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1836 -childID 32 -isForBrowser -prefsHandle 5280 -prefMapHandle 5328 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {4bea26bd-9130-486d-b4b6-97b524ee250a} 4796 tab
      4⤵
      Executes dropped EXE
      PID:1576
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5924 -childID 33 -isForBrowser -prefsHandle 2024 -prefMapHandle 5744 -prefsLen 25299 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6ac25311-4ff1-494a-bbdb-d30e7c12addc} 4796 tab
      4⤵
      Executes dropped EXE
      PID:2756
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=7248 -childID 34 -isForBrowser -prefsHandle 5480 -prefMapHandle 5928 -prefsLen 26749 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {24062000-32f1-44fb-a709-6fe555dfd0ea} 4796 tab
      4⤵
      Executes dropped EXE
      PID:2092
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4760 -childID 35 -isForBrowser -prefsHandle 6708 -prefMapHandle 6716 -prefsLen 25339 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {bb939dfb-86ca-4b1c-9a1d-04a0efeb4cc7} 4796 tab
      4⤵
      Executes dropped EXE
      PID:5044
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3204 -childID 36 -isForBrowser -prefsHandle 7800 -prefMapHandle 7796 -prefsLen 25339 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {467b1527-5e0d-400f-96d5-3619e5137be5} 4796 tab
      4⤵
      Executes dropped EXE
      PID:5800
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=6788 -childID 37 -isForBrowser -prefsHandle 6648 -prefMapHandle 7656 -prefsLen 25339 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8f9e2258-d7cb-4dc0-add8-4b75391da460} 4796 tab
      4⤵
      Executes dropped EXE
      PID:1724
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5264 -childID 38 -isForBrowser -prefsHandle 4472 -prefMapHandle 6268 -prefsLen 25339 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e77f0db6-a5e0-43f8-8a40-a3289a4a4c9e} 4796 tab
      4⤵
      Executes dropped EXE
      PID:5900
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=7736 -childID 39 -isForBrowser -prefsHandle 5260 -prefMapHandle 6192 -prefsLen 25339 -prefMapSize 252047 -jsInitHandle 1404 -jsInitLen 234780 -parentBuildID 20241125154204 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5421996f-ecc6-480d-a93f-3a71db0a5cbe} 4796 tab
      4⤵
      Executes dropped EXE
      PID:3712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5644
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\IMG_bLwO
  2⤵
  PID:5608

C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AgentSvr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /r /d y /f C:\Windows\MsAgent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
    3⤵
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.4355_none_640af958098f5494\r\mobsync.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.4355_none_640af958098f5494\r\mobsync.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.4355_none_640af958098f5494\r\mobsync.exe" /grant "everyone":(f)
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mountvol_31bf3856ad364e35_10.0.19041.1_none_684a86f0f0d0d27d\mountvol.exe"
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mountvol_31bf3856ad364e35_10.0.19041.1_none_684a86f0f0d0d27d\mountvol.exe"
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mountvol_31bf3856ad364e35_10.0.19041.1_none_684a86f0f0d0d27d\mountvol.exe" /grant "everyone":(f)
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\auditpol.exe"
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\auditpol.exe"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:5520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\f\auditpol.exe"
  2⤵
  PID:6392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\f\auditpol.exe"
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\f\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\r\auditpol.exe"
  2⤵
  PID:6352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\r\auditpol.exe"
    3⤵
    PID:6620
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\r\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:5168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1916
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
    3⤵
    - Modifies registry class
    PID:1676
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
    3⤵
    - Modifies registry class
    PID:2940
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
    3⤵
    - Modifies registry class
    PID:6304
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3800
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
    3⤵
    PID:5644
- - C:\Windows\msagent\AgentSvr.exe
    "C:\Windows\msagent\AgentSvr.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:6628
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe"
    3⤵
    PID:172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:6376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\r\auditpol.exe"
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\r\auditpol.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\r\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:6944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.19041.1_none_958f624251c93843\MSchedExe.exe"
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.19041.1_none_958f624251c93843\MSchedExe.exe"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.19041.1_none_958f624251c93843\MSchedExe.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe"
  2⤵
  PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe"
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:6760
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:5464
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
    3⤵
    - Modifies registry class
    PID:5712
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\msconfig.exe"
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\msconfig.exe"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\msconfig.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\r\msconfig.exe"
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\r\msconfig.exe"
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\r\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\f\msconfig.exe"
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\f\msconfig.exe"
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\f\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:6836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\msconfig.exe"
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\msconfig.exe"
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:6444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\r\msconfig.exe"
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\r\msconfig.exe"
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\r\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:5488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_5b736f76bce3fff9\msdt.exe"
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_5b736f76bce3fff9\msdt.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6620
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_5b736f76bce3fff9\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\f\msdt.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\f\msdt.exe"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\f\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\msdt.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\msdt.exe"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:5904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\r\msdt.exe"
  2⤵
  PID:6720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\r\msdt.exe"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\r\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\f\msinfo32.exe"
  2⤵
  PID:5880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\f\msinfo32.exe"
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe"
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\r\msinfo32.exe"
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\r\msinfo32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\f\msinfo32.exe"
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\f\msinfo32.exe"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:6420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\msinfo32.exe"
  2⤵
  PID:6820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\msinfo32.exe"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\r\msinfo32.exe"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\r\msinfo32.exe"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:6224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\f\msinfo32.exe"
  2⤵
  PID:7140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\f\msinfo32.exe"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:6952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe"
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe"
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\r\msinfo32.exe"
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\r\msinfo32.exe"
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\f\msinfo32.exe"
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\f\msinfo32.exe"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\msinfo32.exe"
  2⤵
  PID:5344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\msinfo32.exe"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\r\msinfo32.exe"
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\r\msinfo32.exe"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:6512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_10.0.19041.1_none_de17915d5c62b62d\mqtgsvc.exe"
  2⤵
  PID:6232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_10.0.19041.1_none_de17915d5c62b62d\mqtgsvc.exe"
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_10.0.19041.1_none_de17915d5c62b62d\mqtgsvc.exe" /grant "everyone":(f)
    3⤵
    PID:5536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\f\mspaint.exe"
  2⤵
  PID:6304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\f\mspaint.exe"
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\f\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\mspaint.exe"
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\mspaint.exe"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\r\mspaint.exe"
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\r\mspaint.exe"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\r\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe"
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe"
  2⤵
  PID:5300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\r\mspaint.exe"
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\r\mspaint.exe"
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\r\mspaint.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_cffda9bf5435db63\mcbuilder.exe"
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_cffda9bf5435db63\mcbuilder.exe"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_cffda9bf5435db63\mcbuilder.exe" /grant "everyone":(f)
    3⤵
    PID:5624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\BackgroundTransferHost.exe"
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\BackgroundTransferHost.exe"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\f\BackgroundTransferHost.exe"
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\f\BackgroundTransferHost.exe"
    3⤵
    PID:6596
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\f\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:5536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\r\BackgroundTransferHost.exe"
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\r\BackgroundTransferHost.exe"
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\r\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\BackgroundTransferHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\BackgroundTransferHost.exe"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:5644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe"
  2⤵
  PID:6628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe"
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.4355_none_594fe8ada8de83f5\NetEvtFwdr.exe"
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.4355_none_594fe8ada8de83f5\NetEvtFwdr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.4355_none_594fe8ada8de83f5\NetEvtFwdr.exe" /grant "everyone":(f)
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.84_none_dc38e61c21c1b710\NetEvtFwdr.exe"
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.84_none_dc38e61c21c1b710\NetEvtFwdr.exe"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.84_none_dc38e61c21c1b710\NetEvtFwdr.exe" /grant "everyone":(f)
    3⤵
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\f\NarratorQuickStart.exe"
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\f\NarratorQuickStart.exe"
    3⤵
    PID:6720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\f\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe"
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe"
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\r\NarratorQuickStart.exe"
  2⤵
  PID:6808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\r\NarratorQuickStart.exe"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\r\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:5480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\f\NarratorQuickStart.exe"
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\f\NarratorQuickStart.exe"
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\f\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:6012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorQuickStart.exe"
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorQuickStart.exe"
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\r\NarratorQuickStart.exe"
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\r\NarratorQuickStart.exe"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\r\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\f\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\f\NetCfgNotifyObjectHost.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:6392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\f\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:6352
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\r\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\r\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\r\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7096
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\f\Narrator.exe"
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\f\Narrator.exe"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\f\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\Narrator.exe"
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\Narrator.exe"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\r\Narrator.exe"
  2⤵
  PID:960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\r\Narrator.exe"
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\r\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe"
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\Narrator.exe"
  2⤵
  PID:6960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\Narrator.exe"
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\r\Narrator.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\r\Narrator.exe"
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\r\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:6296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe"
  2⤵
  PID:5188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe" /grant "everyone":(f)
    3⤵
    PID:5352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\f\NcsiUwpApp.exe"
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\f\NcsiUwpApp.exe"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\f\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\NcsiUwpApp.exe"
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\NcsiUwpApp.exe"
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\r\NcsiUwpApp.exe"
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\r\NcsiUwpApp.exe"
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\r\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\f\NcsiUwpApp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\f\NcsiUwpApp.exe"
    3⤵
    PID:6812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\f\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:6988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\NcsiUwpApp.exe"
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\NcsiUwpApp.exe"
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:5172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\r\NcsiUwpApp.exe"
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\r\NcsiUwpApp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6808
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\r\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6836
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe" /grant "everyone":(f)
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_08235f0411d49656\net.exe"
  2⤵
  PID:5996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_08235f0411d49656\net.exe"
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_08235f0411d49656\net.exe" /grant "everyone":(f)
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\f\net1.exe"
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\f\net1.exe"
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\f\net1.exe" /grant "everyone":(f)
    3⤵
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\net1.exe"
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\net1.exe"
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\net1.exe" /grant "everyone":(f)
    3⤵
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\r\net1.exe"
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\r\net1.exe"
    3⤵
    - Modifies file permissions
    PID:2404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\r\net1.exe" /grant "everyone":(f)
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\f\net1.exe"
  2⤵
  PID:6168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\f\net1.exe"
    3⤵
    PID:7060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\f\net1.exe" /grant "everyone":(f)
    3⤵
    PID:5896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\net1.exe"
  2⤵
  PID:984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\net1.exe"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\net1.exe" /grant "everyone":(f)
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe"
  2⤵
  PID:1136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe"
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe" /grant "everyone":(f)
    3⤵
    PID:6260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\f\netbtugc.exe"
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\f\netbtugc.exe"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\f\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\netbtugc.exe"
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\netbtugc.exe"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\r\netbtugc.exe"
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\r\netbtugc.exe"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\r\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\netbtugc.exe"
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\netbtugc.exe"
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\netbtugc.exe"
  2⤵
  PID:6612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\netbtugc.exe"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:5352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\r\netbtugc.exe"
  2⤵
  PID:640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\r\netbtugc.exe"
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\r\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netcfg_31bf3856ad364e35_10.0.19041.1_none_c61fe93bf0d70d90\netcfg.exe"
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netcfg_31bf3856ad364e35_10.0.19041.1_none_c61fe93bf0d70d90\netcfg.exe"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netcfg_31bf3856ad364e35_10.0.19041.1_none_c61fe93bf0d70d90\netcfg.exe" /grant "everyone":(f)
    3⤵
    PID:6900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe"
  2⤵
  PID:6728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\f\Netplwiz.exe"
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\f\Netplwiz.exe"
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\f\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\Netplwiz.exe"
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\Netplwiz.exe"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\r\Netplwiz.exe"
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\r\Netplwiz.exe"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\r\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    PID:6704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_159203c1973658cd\netsh.exe"
  2⤵
  PID:6576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_159203c1973658cd\netsh.exe"
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_159203c1973658cd\netsh.exe" /grant "everyone":(f)
    3⤵
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.3636_none_7c81879ebb6a0d5d\bridgeunattend.exe"
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.3636_none_7c81879ebb6a0d5d\bridgeunattend.exe"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.3636_none_7c81879ebb6a0d5d\bridgeunattend.exe" /grant "everyone":(f)
    3⤵
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec\bridgeunattend.exe"
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec\bridgeunattend.exe"
    3⤵
    PID:6628
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec\bridgeunattend.exe" /grant "everyone":(f)
    3⤵
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe"
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:6984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\LegacyNetUXHost.exe"
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\LegacyNetUXHost.exe"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe"
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:5724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\f\LegacyNetUXHost.exe"
  2⤵
  PID:6720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\f\LegacyNetUXHost.exe"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\f\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:5896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\LegacyNetUXHost.exe"
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\LegacyNetUXHost.exe"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:5608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\r\LegacyNetUXHost.exe"
  2⤵
  PID:5712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\r\LegacyNetUXHost.exe"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\r\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\ndadmin.exe"
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\ndadmin.exe"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:6828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe"
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\ndadmin.exe"
  2⤵
  PID:6920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\ndadmin.exe"
    3⤵
    PID:7140
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\newdev.exe"
  2⤵
  PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\newdev.exe"
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe"
  2⤵
  PID:6612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe"
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\newdev.exe"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\newdev.exe"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:6508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\ndadmin.exe"
  2⤵
  PID:32
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\ndadmin.exe"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\newdev.exe"
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\newdev.exe"
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\ndadmin.exe"
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\ndadmin.exe"
    3⤵
    PID:6668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\newdev.exe"
  2⤵
  PID:6596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\newdev.exe"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\ndadmin.exe"
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\ndadmin.exe"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:7100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\newdev.exe"
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\newdev.exe"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\nfsadmin.exe"
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\nfsadmin.exe"
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\nfsadmin.exe" /grant "everyone":(f)
    3⤵
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\rpcinfo.exe"
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\rpcinfo.exe"
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\rpcinfo.exe" /grant "everyone":(f)
    3⤵
    PID:7040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\showmount.exe"
  2⤵
  PID:6916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\showmount.exe"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\showmount.exe" /grant "everyone":(f)
    3⤵
    PID:5176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\mount.exe"
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\mount.exe"
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\mount.exe" /grant "everyone":(f)
    3⤵
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\umount.exe"
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\umount.exe"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\umount.exe" /grant "everyone":(f)
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\mount.exe"
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\mount.exe"
    3⤵
    PID:6432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\mount.exe" /grant "everyone":(f)
    3⤵
    PID:6524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\umount.exe"
  2⤵
  PID:6672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\umount.exe"
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\umount.exe" /grant "everyone":(f)
    3⤵
    PID:6500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\mount.exe"
  2⤵
  PID:6192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\mount.exe"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\mount.exe" /grant "everyone":(f)
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\mount.exe"
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\mount.exe"
    3⤵
    PID:5536
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\mount.exe" /grant "everyone":(f)
    3⤵
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\umount.exe"
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\umount.exe"
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\umount.exe" /grant "everyone":(f)
    3⤵
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\umount.exe"
  2⤵
  PID:5488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\umount.exe"
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\umount.exe" /grant "everyone":(f)
    3⤵
    PID:7120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\f\nfsclnt.exe"
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\f\nfsclnt.exe"
    3⤵
    PID:6304
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\f\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe"
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe"
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:5808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\r\nfsclnt.exe"
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\r\nfsclnt.exe"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\r\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\f\nfsclnt.exe"
  2⤵
  PID:6484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\f\nfsclnt.exe"
    3⤵
    PID:6760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\f\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\nfsclnt.exe"
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\nfsclnt.exe"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\r\nfsclnt.exe"
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\r\nfsclnt.exe"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\r\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:6668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe"
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:6528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe"
  2⤵
  PID:6232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:5480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\r\notepad.exe"
  2⤵
  PID:5464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\r\notepad.exe"
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\r\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:4200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\f\notepad.exe"
  2⤵
  PID:7140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\f\notepad.exe"
    3⤵
    PID:6920
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\f\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\notepad.exe"
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\notepad.exe"
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:6248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\r\notepad.exe"
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\r\notepad.exe"
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\r\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:5300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8171817405d01500\nslookup.exe"
  2⤵
  PID:6836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8171817405d01500\nslookup.exe"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8171817405d01500\nslookup.exe" /grant "everyone":(f)
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:5948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\r\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\r\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\r\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\f\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\f\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\f\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:6596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\r\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\r\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\r\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_ffa61ab82b82ecca\Fondue.exe"
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_ffa61ab82b82ecca\Fondue.exe"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_ffa61ab82b82ecca\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:6888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\f\Fondue.exe"
  2⤵
  PID:6268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\f\Fondue.exe"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\f\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:6392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\Fondue.exe"
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\Fondue.exe"
    3⤵
    PID:5808
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:6984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\r\Fondue.exe"
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\r\Fondue.exe"
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\r\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.1_none_e15558ebc4b8bd81\iotstartup.exe"
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.1_none_e15558ebc4b8bd81\iotstartup.exe"
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.1_none_e15558ebc4b8bd81\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:6900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\f\iotstartup.exe"
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\f\iotstartup.exe"
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\f\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:7060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\iotstartup.exe"
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\iotstartup.exe"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\r\iotstartup.exe"
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\r\iotstartup.exe"
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\r\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:6528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\dasHost.exe"
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\dasHost.exe"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\dasHost.exe" /grant "everyone":(f)
    3⤵
    PID:6320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\f\dasHost.exe"
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\f\dasHost.exe"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\f\dasHost.exe" /grant "everyone":(f)
    3⤵
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\r\dasHost.exe"
  2⤵
  PID:6940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\r\dasHost.exe"
    3⤵
    PID:6700

C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AgentSvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /r /d y /f C:\Windows\MsAgent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6312
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
    3⤵
    PID:1036
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5588
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
    3⤵
    - Modifies registry class
    PID:2968
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1932
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
    3⤵
    - Modifies registry class
    PID:5172
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
    3⤵
    - Modifies registry class
    PID:5104
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5372
- - C:\Windows\msagent\AgentSvr.exe
    "C:\Windows\msagent\AgentSvr.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4368
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mountvol_31bf3856ad364e35_10.0.19041.1_none_684a86f0f0d0d27d\mountvol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mountvol_31bf3856ad364e35_10.0.19041.1_none_684a86f0f0d0d27d\mountvol.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:7120
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mountvol_31bf3856ad364e35_10.0.19041.1_none_684a86f0f0d0d27d\mountvol.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\auditpol.exe"
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\auditpol.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\f\auditpol.exe"
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\f\auditpol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\f\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:6780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\r\auditpol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\r\auditpol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.4355_none_8c3f318071fc288b\r\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:5056
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6940
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
    3⤵
    - Modifies registry class
    PID:5072
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:5684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe"
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:7080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe"
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\r\auditpol.exe"
  2⤵
  PID:6920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\r\auditpol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\r\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.19041.1_none_958f624251c93843\MSchedExe.exe"
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.19041.1_none_958f624251c93843\MSchedExe.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.19041.1_none_958f624251c93843\MSchedExe.exe" /grant "everyone":(f)
    3⤵
    PID:6260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe"
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6444
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\msconfig.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\msconfig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:7060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\r\msconfig.exe"
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\r\msconfig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\r\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:6156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\f\msconfig.exe"
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\f\msconfig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\f\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:6464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\msconfig.exe"
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\msconfig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:6320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\r\msconfig.exe"
  2⤵
  PID:6696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\r\msconfig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.3636_none_4f11d547531484c7\r\msconfig.exe" /grant "everyone":(f)
    3⤵
    PID:6196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_5b736f76bce3fff9\msdt.exe"
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_5b736f76bce3fff9\msdt.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6636
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_5b736f76bce3fff9\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:4224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\f\msdt.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\f\msdt.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\f\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\msdt.exe"
  2⤵
  PID:6508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\msdt.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5352
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\r\msdt.exe"
  2⤵
  PID:6580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\r\msdt.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.4355_none_1a3c81bcd2c0b015\r\msdt.exe" /grant "everyone":(f)
    3⤵
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\f\msinfo32.exe"
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\f\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\r\msinfo32.exe"
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\r\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\f\msinfo32.exe"
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\f\msinfo32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\msinfo32.exe"
  2⤵
  PID:6608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\r\msinfo32.exe"
  2⤵
  PID:6736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\r\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.3636_none_fadc95dea0355286\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:5160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\f\msinfo32.exe"
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\f\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7120
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe"
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:5808
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\r\msinfo32.exe"
  2⤵
  PID:6760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\r\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5300
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\f\msinfo32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:32
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\f\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5904
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\f\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\msinfo32.exe"
  2⤵
  PID:3328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:5332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\r\msinfo32.exe"
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\r\msinfo32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.3636_none_2073fd9aaf02bd6e\r\msinfo32.exe" /grant "everyone":(f)
    3⤵
    PID:6236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_10.0.19041.1_none_de17915d5c62b62d\mqtgsvc.exe"
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_10.0.19041.1_none_de17915d5c62b62d\mqtgsvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_10.0.19041.1_none_de17915d5c62b62d\mqtgsvc.exe" /grant "everyone":(f)
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\f\mspaint.exe"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\f\mspaint.exe"
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\f\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:5588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\mspaint.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\mspaint.exe"
    3⤵
    - Modifies file permissions
    PID:6956
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\r\mspaint.exe"
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\r\mspaint.exe"
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.4355_none_02d7a66ea3cbefb1\r\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe"
  2⤵
  PID:5448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:420
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe"
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:6516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\r\mspaint.exe"
  2⤵
  PID:6508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\r\mspaint.exe"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\r\mspaint.exe" /grant "everyone":(f)
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_cffda9bf5435db63\mcbuilder.exe"
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_cffda9bf5435db63\mcbuilder.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4132
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_cffda9bf5435db63\mcbuilder.exe" /grant "everyone":(f)
    3⤵
    PID:6780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\BackgroundTransferHost.exe"
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\BackgroundTransferHost.exe"
    3⤵
    - Modifies file permissions
    PID:5900
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\f\BackgroundTransferHost.exe"
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\f\BackgroundTransferHost.exe"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\f\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:6276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\r\BackgroundTransferHost.exe"
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\r\BackgroundTransferHost.exe"
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.3636_none_031c31aa65148fe2\r\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\BackgroundTransferHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\BackgroundTransferHost.exe"
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:6316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:616
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:5996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe"
  2⤵
  PID:6820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6296
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:5160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.4355_none_594fe8ada8de83f5\NetEvtFwdr.exe"
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.4355_none_594fe8ada8de83f5\NetEvtFwdr.exe"
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.4355_none_594fe8ada8de83f5\NetEvtFwdr.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.84_none_dc38e61c21c1b710\NetEvtFwdr.exe"
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.84_none_dc38e61c21c1b710\NetEvtFwdr.exe"
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.84_none_dc38e61c21c1b710\NetEvtFwdr.exe" /grant "everyone":(f)
    3⤵
    PID:6744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\f\NarratorQuickStart.exe"
  2⤵
  PID:6716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\f\NarratorQuickStart.exe"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\f\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe"
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\r\NarratorQuickStart.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\r\NarratorQuickStart.exe"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\r\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:6192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\f\NarratorQuickStart.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\f\NarratorQuickStart.exe"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\f\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:6464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorQuickStart.exe"
  2⤵
  PID:7056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorQuickStart.exe"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\r\NarratorQuickStart.exe"
  2⤵
  PID:6408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\r\NarratorQuickStart.exe"
    3⤵
    PID:6152
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\r\NarratorQuickStart.exe" /grant "everyone":(f)
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\f\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\f\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:616
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\f\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:6296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    PID:7120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\r\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:5352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\r\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.4355_none_e4dc5a2b33a3fddd\r\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    PID:6396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\f\Narrator.exe"
  2⤵
  PID:6516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\f\Narrator.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5948
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\f\Narrator.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\Narrator.exe"
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\Narrator.exe"
    3⤵
    PID:7060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:6720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\r\Narrator.exe"
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\r\Narrator.exe"
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.4355_none_32d7f8ba58f32ed0\r\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe"
  2⤵
  PID:5344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:6596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\Narrator.exe"
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\Narrator.exe"
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\r\Narrator.exe"
  2⤵
  PID:6268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\r\Narrator.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\r\Narrator.exe" /grant "everyone":(f)
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe"
  2⤵
  PID:6956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe"
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe" /grant "everyone":(f)
    3⤵
    PID:6304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\f\NcsiUwpApp.exe"
  2⤵
  PID:444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\f\NcsiUwpApp.exe"
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\f\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\NcsiUwpApp.exe"
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\NcsiUwpApp.exe"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:5552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\r\NcsiUwpApp.exe"
  2⤵
  PID:6952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\r\NcsiUwpApp.exe"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.1052_none_648fbf276da33ed4\r\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:6508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\f\NcsiUwpApp.exe"
  2⤵
  PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\f\NcsiUwpApp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\f\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:7032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\NcsiUwpApp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\NcsiUwpApp.exe"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\r\NcsiUwpApp.exe"
  2⤵
  PID:5520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\r\NcsiUwpApp.exe"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.19041.4355_none_646f10bd6dbbd6ff\r\NcsiUwpApp.exe" /grant "everyone":(f)
    3⤵
    PID:5608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe" /grant "everyone":(f)
    3⤵
    PID:6260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_08235f0411d49656\net.exe"
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_08235f0411d49656\net.exe"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_08235f0411d49656\net.exe" /grant "everyone":(f)
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\f\net1.exe"
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\f\net1.exe"
    3⤵
    PID:6372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\f\net1.exe" /grant "everyone":(f)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:64
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\net1.exe"
  2⤵
  PID:6608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\net1.exe"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\net1.exe" /grant "everyone":(f)
    3⤵
    PID:5672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\r\net1.exe"
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\r\net1.exe"
    3⤵
    PID:6888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.3636_none_fb738a3509e79e84\r\net1.exe" /grant "everyone":(f)
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\f\net1.exe"
  2⤵
  PID:5352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\f\net1.exe"
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\f\net1.exe" /grant "everyone":(f)
    3⤵
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\net1.exe"
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\net1.exe"
    3⤵
    PID:7012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\net1.exe" /grant "everyone":(f)
    3⤵
    PID:5492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe"
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe" /grant "everyone":(f)
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\f\netbtugc.exe"
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\f\netbtugc.exe"
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\f\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:6256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\netbtugc.exe"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\netbtugc.exe"
    3⤵
    PID:6668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:6192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\r\netbtugc.exe"
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\r\netbtugc.exe"
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.3636_none_d4fc5f25ac989b9b\r\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\netbtugc.exe"
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\netbtugc.exe"
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:6032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\netbtugc.exe"
  2⤵
  PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\netbtugc.exe"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:6960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\r\netbtugc.exe"
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\r\netbtugc.exe"
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\r\netbtugc.exe" /grant "everyone":(f)
    3⤵
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netcfg_31bf3856ad364e35_10.0.19041.1_none_c61fe93bf0d70d90\netcfg.exe"
  2⤵
  PID:7136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netcfg_31bf3856ad364e35_10.0.19041.1_none_c61fe93bf0d70d90\netcfg.exe"
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netcfg_31bf3856ad364e35_10.0.19041.1_none_c61fe93bf0d70d90\netcfg.exe" /grant "everyone":(f)
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe"
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    PID:6916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\f\Netplwiz.exe"
  2⤵
  PID:6616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\f\Netplwiz.exe"
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\f\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\Netplwiz.exe"
  2⤵
  PID:6524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\Netplwiz.exe"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\r\Netplwiz.exe"
  2⤵
  PID:6256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\r\Netplwiz.exe"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.4355_none_6210d48fc59c1fb3\r\Netplwiz.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_159203c1973658cd\netsh.exe"
  2⤵
  PID:6512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_159203c1973658cd\netsh.exe"
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_159203c1973658cd\netsh.exe" /grant "everyone":(f)
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.3636_none_7c81879ebb6a0d5d\bridgeunattend.exe"
  2⤵
  PID:6528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.3636_none_7c81879ebb6a0d5d\bridgeunattend.exe"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.3636_none_7c81879ebb6a0d5d\bridgeunattend.exe" /grant "everyone":(f)
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec\bridgeunattend.exe"
  2⤵
  PID:6736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec\bridgeunattend.exe"
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec\bridgeunattend.exe" /grant "everyone":(f)
    3⤵
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe"
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe"
    3⤵
    PID:6296
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\LegacyNetUXHost.exe"
  2⤵
  PID:5996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\LegacyNetUXHost.exe"
    3⤵
    PID:420
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe"
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe"
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:6612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\f\LegacyNetUXHost.exe"
  2⤵
  PID:5128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\f\LegacyNetUXHost.exe"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\f\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\LegacyNetUXHost.exe"
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\LegacyNetUXHost.exe"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:6760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\r\LegacyNetUXHost.exe"
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\r\LegacyNetUXHost.exe"
    3⤵
    PID:7148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.4355_none_923db70c427bd65f\r\LegacyNetUXHost.exe" /grant "everyone":(f)
    3⤵
    PID:6780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\ndadmin.exe"
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\ndadmin.exe"
    3⤵
    PID:6432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe"
  2⤵
  PID:5496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe"
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:6260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\ndadmin.exe"
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\ndadmin.exe"
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\newdev.exe"
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\newdev.exe"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:5124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe"
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:6348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\newdev.exe"
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\newdev.exe"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\ndadmin.exe"
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\ndadmin.exe"
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\newdev.exe"
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\newdev.exe"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\f\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\ndadmin.exe"
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\ndadmin.exe"
    3⤵
    PID:7096
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\newdev.exe"
  2⤵
  PID:6780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\newdev.exe"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:3320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\ndadmin.exe"
  2⤵
  PID:6988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\ndadmin.exe"
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\ndadmin.exe" /grant "everyone":(f)
    3⤵
    PID:172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\newdev.exe"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\newdev.exe"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.4355_none_86306b1e05e34e4a\r\newdev.exe" /grant "everyone":(f)
    3⤵
    PID:7004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\nfsadmin.exe"
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\nfsadmin.exe"
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\nfsadmin.exe" /grant "everyone":(f)
    3⤵
    PID:6320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\rpcinfo.exe"
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\rpcinfo.exe"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\rpcinfo.exe" /grant "everyone":(f)
    3⤵
    PID:6960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\showmount.exe"
  2⤵
  PID:7140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\showmount.exe"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\showmount.exe" /grant "everyone":(f)
    3⤵
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\mount.exe"
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\mount.exe"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\mount.exe" /grant "everyone":(f)
    3⤵
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\umount.exe"
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\umount.exe"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\umount.exe" /grant "everyone":(f)
    3⤵
    PID:6984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\mount.exe"
  2⤵
  PID:6616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\mount.exe"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\mount.exe" /grant "everyone":(f)
    3⤵
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\umount.exe"
  2⤵
  PID:6560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\umount.exe"
    3⤵
    PID:32
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\f\umount.exe" /grant "everyone":(f)
    3⤵
    PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\mount.exe"
  2⤵
  PID:7072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\mount.exe"
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\mount.exe" /grant "everyone":(f)
    3⤵
    PID:6780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\mount.exe"
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\mount.exe"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\mount.exe" /grant "everyone":(f)
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\umount.exe"
  2⤵
  PID:780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\umount.exe"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\r\umount.exe" /grant "everyone":(f)
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\umount.exe"
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\umount.exe"
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.3636_none_c5faf9e6a5c6a1cc\umount.exe" /grant "everyone":(f)
    3⤵
    PID:6140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\f\nfsclnt.exe"
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\f\nfsclnt.exe"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\f\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe"
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\r\nfsclnt.exe"
  2⤵
  PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\r\nfsclnt.exe"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\r\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:7116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\f\nfsclnt.exe"
  2⤵
  PID:6612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\f\nfsclnt.exe"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\f\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\nfsclnt.exe"
  2⤵
  PID:6352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\nfsclnt.exe"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:6508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\r\nfsclnt.exe"
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\r\nfsclnt.exe"
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.3636_none_217a1378f7e88a5a\r\nfsclnt.exe" /grant "everyone":(f)
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe"
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe"
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe"
  2⤵
  PID:172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe"
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:6512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\r\notepad.exe"
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\r\notepad.exe"
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\r\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:6340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\f\notepad.exe"
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\f\notepad.exe"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\f\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\notepad.exe"
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\notepad.exe"
    3⤵
    PID:6960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\r\notepad.exe"
  2⤵
  PID:6628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\r\notepad.exe"
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.4355_none_e3d4ad452539f20a\r\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:6888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8171817405d01500\nslookup.exe"
  2⤵
  PID:6744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8171817405d01500\nslookup.exe"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8171817405d01500\nslookup.exe" /grant "everyone":(f)
    3⤵
    PID:6916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:6224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:7012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:32
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:7148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\r\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\r\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\r\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\f\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:7060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\f\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\f\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:6668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\r\OOBENetworkConnectionFlow.exe"
  2⤵
  PID:6528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\r\OOBENetworkConnectionFlow.exe"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.4474_none_a1a719c92a0e7c7a\r\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)
    3⤵
    PID:64
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_ffa61ab82b82ecca\Fondue.exe"
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_ffa61ab82b82ecca\Fondue.exe"
    3⤵
    PID:6576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_ffa61ab82b82ecca\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:6960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\f\Fondue.exe"
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\f\Fondue.exe"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\f\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\Fondue.exe"
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\Fondue.exe"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:6248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\r\Fondue.exe"
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\r\Fondue.exe"
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.4355_none_be6f2cfe415f9ce6\r\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.1_none_e15558ebc4b8bd81\iotstartup.exe"
  2⤵
  PID:5352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.1_none_e15558ebc4b8bd81\iotstartup.exe"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.1_none_e15558ebc4b8bd81\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:6728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\f\iotstartup.exe"
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\f\iotstartup.exe"
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\f\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\iotstartup.exe"
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\iotstartup.exe"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\r\iotstartup.exe"
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\r\iotstartup.exe"
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..oreuap-iotuap-tools_31bf3856ad364e35_10.0.19041.4355_none_a01e6b31da956d9d\r\iotstartup.exe" /grant "everyone":(f)
    3⤵
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\dasHost.exe"
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\dasHost.exe"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\dasHost.exe" /grant "everyone":(f)
    3⤵
    PID:7100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\f\dasHost.exe"
  2⤵
  PID:6252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\f\dasHost.exe"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\f\dasHost.exe" /grant "everyone":(f)
    3⤵
    PID:5480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\r\dasHost.exe"
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\r\dasHost.exe"
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.3636_none_1ede7798904dc5ef\r\dasHost.exe" /grant "everyone":(f)
    3⤵
    PID:6820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.746_none_88402ba139c8967e\dasHost.exe"
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.746_none_88402ba139c8967e\dasHost.exe"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.746_none_88402ba139c8967e\dasHost.exe" /grant "everyone":(f)
    3⤵
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.423_none_204af7ff19532470\f\OOBENetworkCaptivePortal.exe"
  2⤵
  PID:5424

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Power Settings

T1653

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
5245a405dc077eacfc485457dcc0cbe4

SHA1
94342411aed996c4420189d50146367cabdca423

SHA256
dfe378fe38b6da2fc848fab6bcfbfccb02fc962e49bbd46530bb2a4085a26cfa

SHA512
068b907f5448d11f8830deaad5c9ba7914082ac41f51bf65ed188222e231401893a812010d0d5914b082ab6b2f18029f3cbbaebf3311165beb9b2b2e5500da30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
d58382d0632122489c6a81e7b70ff128

SHA1
83cee33ea94312e7e81092e6821dd43abd34c426

SHA256
7101c486ffb7cddcaf293c23fe8e940f9a5beb2b4a8ac634c3a77ae1bc7a5613

SHA512
589bbef0d7a3466cf139fa3e53566bd199a88b9cae236641623c831e0cdde484f774b1272816642ff40d6107a430977a0dcd2e138556ba293dc8474401d2b2c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\doomed\14033

Filesize
65KB

MD5
f9dd2c1e18788061ba72aae4147f1621

SHA1
40f765a6f6fb28c017a32688e743654bdef83ab1

SHA256
59f9cc35e9fff459f9b1e2dd730bfa6d2aaef07f2efc0f5feebe7aff5a4d94cc

SHA512
a2635f2863f74c46293f548b579cfef95b3263365d6dab493c870f72633a6f3315b97940aa0b66c9145f3f5a9640c6e7ef89779adde683dfcc0367f74bfba351

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\doomed\22170

Filesize
15KB

MD5
135bcea4dbe74ece1db7caf3b869bf49

SHA1
5e44ae74cb17ee0fd88a5040240d244beada7254

SHA256
d6137a01deda97a96f8f82f6ac20754441cd136b69532c194600237daeac78fb

SHA512
20caf44bc5bff0098de6374dfadc02c24cf4d9405a83e6de529dd855446cae41099b721f929607d371ad2f6129576fc6e02a6ca8b74a672dcfe68fb528f25ed3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\doomed\25099

Filesize
8KB

MD5
1730bf625261cb8c002a77b2d83f07e1

SHA1
3311e13aeb433ce393135a59142f9911aebf8c6f

SHA256
e36b9d6e05c7c83fe97cade9fd365b9d3fbae325bb773fd4cb3a9816e723b15d

SHA512
944da9e75bb58b3c27c970a653b5fa5c48985563d24c6b177e266eaa5123d4dfeed4c5a5f36e6d3fba161edaf7a68e230134e2254ff22fa227b1b1c0d58801de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\doomed\29823

Filesize
7KB

MD5
20515bf536c9bbb7a3dcb581fe0d6af9

SHA1
95dbe6e70aa4d7c2f01204194b0a7b3cc7cc4d47

SHA256
bfc166984613c29f3c4eab73911e568e13f3ad52f8f0b77407c2ae4dee810a05

SHA512
3ee0d85187d0fbffb71384f5e12649377d9228df02ffd4791b144d40879fa0c5fd44cf46b4952e1a151ce52ffe70d97bece0f12e6a0946c743b46a588bba1d81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\doomed\31051

Filesize
68KB

MD5
89c848247123560b9ef296c7d8850bec

SHA1
2f2c99660b7ca2e1192e35cb66d59f71cd2ad003

SHA256
21849f7433069c6cd676d5d4757d6fd9013a20aaff010c1a9ce930c2cdd3a480

SHA512
925239401a1c40c21b7430582376a0041d75712e993940101ad606cfe91d07db7e169de4a334ad6f2183349ccf9d2223c2cc074339893597d99e4d83bcbcc60e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\doomed\32640

Filesize
7KB

MD5
dd3a5b4bb80e4004c7e98674d98bebcc

SHA1
e4bdc33181cbde11df9340da01e556928eeb3ae6

SHA256
bbf9516726a4324d6810e3b08e006b02abdda30b242f5a7e8af8c5343882562d

SHA512
d0e707edc2f4096c78fe66033e9621ea3ad5df72777b13d020883b7cfe2a3495ef8fc488f5439070bc70a643807a7ad24f338f69a3085490febdb685f964487b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\05C847F4C5B415754BF3E069B9EBC4473AE4EF36

Filesize
19KB

MD5
826d54f3c978d94619cff91da0af8b62

SHA1
540249ac4cfa02f765d281e439013f650bd6f517

SHA256
3e6829551e2acb8a6090fdc0ccbcb451ad427e901c5b86eeb8ac39ac645f0e2e

SHA512
d4638cd9a40c77a4c26e3b8addb48daac8bf54ad4865ee4bdadefd1c872ab2dbc8ee9a14005a9aea7c05c62bfd59d82730688db6fde1fd1e9d4b489ba85d0532

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\05D2C41BE10853E0C82BF0760BDF4821648958CF

Filesize
28KB

MD5
05ce641052a3aacbd8e0f22515f5317a

SHA1
78db99b53da79ac24e3cc002a41c85ed7dbafbd5

SHA256
9ecf7b5f44961f7b76e8254dbe3f83bbd0749adc246b5d3944a6649efeb3ca57

SHA512
26f80446a79dbe5bb237dcc3835030d6b3a39e5d5117925e457fad2051613c32180272e8981233360ca997064fcd9677ce07f708845a1290b05e537c29f23d14

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\074C87425995923C693F87FD47E1EAB3CC73E372

Filesize
21KB

MD5
8c3c3282dfe76cbe00e409ef8e47a4ab

SHA1
401cb7a778b83a1fea662623a71b996d4abe0cb1

SHA256
557f2023d26854e7c8b907b06b5b84a765894669f1e20737f37460fa778edf4f

SHA512
d990760f55d0b20d1ed31a46dbf9d4f3e39077d387fc5a99955273559520b42c890f64bbff627d2d9f92c5d62623e748202cf3e5bde9924ce9fa38508bfdb396

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\14032416A39165E5D4801D83F2C99FD5E99162A0

Filesize
15KB

MD5
f121f1eeae0ad04e7853dc36a82040d8

SHA1
c0d44b520df85c5ae801089e71d42e400a3b0269

SHA256
52f44e646daa8ff5d121e8a29ffb18c686c6d13af7fff58c566db3a8fe28c6fa

SHA512
f60eba8e4a8173cc18e8a72a45601b14b2fdd6cf9b52926ece38a88c04ad643974fe79160491909a025ce073dd2d2c161f87cecf99c4d0d46f37cf7d7d8422b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\15871A5728864D28799181BEEAC2E83675385338

Filesize
28KB

MD5
fb9ff116b87c0cd64c459e9b73002432

SHA1
00a6237e703cb98aa08da9eb2d01edb99dc14cdf

SHA256
bc7f9f24622f4813ab5f21c6c06b36f012ed7a336f0abdc33b76d017ad9ef67a

SHA512
3dffe9c23df7866ecce2b473c1ebce2c8eeefde8522fe7879ce17d4209db0ada5b32df806a32366a19c9ac2e6e0560490450845086ebbcab0998086f0b9adc56

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\160615699E2D70066CA2227210B8A1F058AAD618

Filesize
9KB

MD5
7f4c8d6ab31144236d0bfb597f18610f

SHA1
eaf0c540a03dbf1f093e2483000bb43b34575861

SHA256
ef8552265d8cf0f9b109e85e6570e759fae80434ef1261f0a90323f23496d9e5

SHA512
90d92f0ea44e9e22b6589e4207f6652c87dee9d842d454bccb8c6fd7c541da829f49f697ffbde440ea728834f7b05e09805594ac1fcea237fe0a1d976a38e455

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\17CFFF6E7327F9E10F7B2BC626BE005CA2F1C014

Filesize
14KB

MD5
6f929f5cc1d8261b81bbb38d25283b23

SHA1
4cdf1b0075bd1eb79d9e6e9a595571fbcadcae30

SHA256
85d8bcd263044120b5da012adac728409e4c58f935da9bbb570f986b5a11346b

SHA512
f39074adbc4039a367e0ca158675d4135fe5a0f151b4c75082f2859966dfc1984113f61f470fe716d9cc2c5975e064a2381df02ac5365d533e79beaa82315c0f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\1975AE611CEF716AA4C50A26A3F97BA9AE886100

Filesize
36KB

MD5
dd0f433e0c80468e345fc79e828eb8c1

SHA1
4dec40a55e3f12341dc8ab245a82995637c92266

SHA256
20f545eefa1f5aab5caaa2265512b2a5b39257d3e93858fc03ba755c412f3b61

SHA512
ab7110ff2d4caaf153dc5d01ffb19f94e08629e9cfbcf34f8045091f28e27fd0a6b5a32f394e20bd31fa465f7572afb1404e1aaa8eef7255d1634e7a39a7cc23

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\1D2E8C9DB8518B4204F31A1B1255F76C5CCBBA79

Filesize
16KB

MD5
f04f31fd081051d9e66396d6c790760d

SHA1
b57d5726995c92ca701e3bdfa294a2706d9dcc46

SHA256
e1febcd389fbb19783c2a05d48722ec99db18a2ff397463c93f4c296d8e096a4

SHA512
b67a6c253fc160ad3ac966c1263bcf51ba6a89c5bfea06a67b981a70cf5891443a43641a03b5285732ad8e4507fd11e262608f50afefa020d4ba07dcd16bfa1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\251789BF31A9302BEA16FA24CEAD8F8B0F86BFA3

Filesize
1.3MB

MD5
bdfc45951aac25e245b774e936c4d6c6

SHA1
4c8ac0a0b3d42ee3e630a94f8ef8522138500b1f

SHA256
204156f24efff3b82f0460deb4f90405a9f242ad80bc05efdc0e4e4dec97525a

SHA512
1934039e25fa93ed3406e7aa3c247e1d140e627e5ae2459d7b65c7730a482d4c44c6387ea0ab2b939e4143bd340a7060b476271d495e5a55cf24b2f800482113

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\2685C4EE7C9A7448CEA029AD16B9ED03525E529E

Filesize
38KB

MD5
831ee2dcb59ad5ebbe2daf7fc0288fbf

SHA1
48c8683ae05e99d7f38b82b3a66326296ae52cee

SHA256
2184801c86ac88b640773414c6452d7989ddc32be5ce6310f52b599e28a55fbf

SHA512
f4fd028c93c875cf4452788b743391331cefc3d1c5801108e656a8b97f192b9aa2a3b1d4c0c247a8f1c48f301067f023f415066c1261ea09774043b418335cb7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\29C08A6D2A0CF6100B72D8E242224971E2F5B2A2

Filesize
10KB

MD5
9d780bcc9ef78ac740fb2962988cac58

SHA1
ef99c3d58b35199c820429e613b860bf1af5e638

SHA256
091b37cee9709fbaf83c4f60e5ac8405deff9b66b6ff9c66322c9f61ac208612

SHA512
59040205047b28fefeaa8638b706cf224ff115946669b8eb0f2f50f7c33de75f5cc1e8e9d9baa00eb472819c5348a42d4031245c6d02ee02a6383c7fca73f8ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\2CA295C6A85A4731202CC283B9F0B85A262CB49F

Filesize
15KB

MD5
37a306206962959104bcf4c84f3e46ca

SHA1
d6f259a8620d51c46b96d87718ea5796c585573c

SHA256
2ae1735aac93868ef87ac5342ab7893048f5b2752961c10bde4b360bb44805b2

SHA512
aae10046169e2bfda54678bf759f5215b93a6eb3a6e81ba42f748389e436edc9fa2687001b4e9eacda90236267b16d37c62f9e66b1b285e3772f3f0063ac28db

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\349A5CCC901FF16BD458C47140FEB9FE00CE4F67

Filesize
22KB

MD5
c8823551f5299ac7e3a3fd7dbf273f5c

SHA1
3c1aad19511fc84259e4b192cff99698d5c7173a

SHA256
fe043bea1c2d6911d5099ee80f1acc678c933f9f1a0c3f41e3f7ed4695f38472

SHA512
fa2acc3d2008e7b0d79b2df9ec489d6d39bb1bc4e05b74c4cb848736f18d6beb5ae4aa20476eb986dd06e8d0b6910114dcd1e24e6fcd4afded1bb78006553501

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\39C8CF3A8C213420D86B301D201026CA2D13C7ED

Filesize
380KB

MD5
ee8e509fc603fb782a0b380004444981

SHA1
0c1cff3eb0f2a9646e4c965b905be15ca0c6a719

SHA256
7c9e88862f505d8042d84eb58c501ef0c0907516c191dc6681cab2182613ea46

SHA512
cf5f67b6b60faa16049c05da80b50a12c1318e3126f42e09dd476c8b09537ac3443c734375860dd7d826848956c7918f3314e235ae4f341fe11f2581581e3e11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\3AE44262AE4B0B5701C6E616D2AFA46B23BFB1D5

Filesize
104KB

MD5
c86293c1f13bd214e7b62e6ba6002032

SHA1
c71324108a39ab05cfac42405b9eca43bbe933c1

SHA256
8b62ad2cd9b3bb7c0f698fd1f36b60dd6cc58055d5bcdc86f39599c28229df84

SHA512
b1ca606d99fb00dab872925c7fc0b36a278d88edbca9a5cabf928cab20c5280386ae64baf2370e6c29b5ce51929335341c4202570bbce046132b3367755a2548

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\3D4D1913191E6317F80655EDDC87DAF9E9753E36

Filesize
95KB

MD5
fb138216f91320013f7f5e712ab93bb8

SHA1
c28a9e736c0e8ba3c893c92c29b569144e00c717

SHA256
0a5c5ece11e283bcfac054f95eabaadc9c4f3c28f3ad39ded918c50f8d22d509

SHA512
0cb9639685171dbfd963cb6b52aa84c52d2d99b40f5a5ed6d9857d2ac47e4ab58957660111af028db3267d32a72141f426711d5d5f3b63763e61c870c0adfe47

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\3E388052777D236256DA4088A5C133E76C9DC9F6

Filesize
20KB

MD5
3592e6c457e3736058db0d3291d24218

SHA1
faa7fb0d7ac4bd55033f405cfed61e9289f10a4f

SHA256
87ab848202e0a72fa414fcd80388fc92fa7e1fd83d03b969847b987105629e3e

SHA512
59c1df5429e2a3e0248f7efd1c2ce0d38dd60b906078de866285f689dd0e14078f0188d44af2c3b78f6cb06873a767c7e1223b33f647d8e6110ac10e16fba79e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\40014F4A106615AC0A96479B5299A88D6B07CCCE

Filesize
22KB

MD5
4e7ac729d265ef8bb718d57fab3057c4

SHA1
1885baa2e636101e826650aa1f97b69556935e32

SHA256
c0407bc8b6227713c4ce67ceaa7ba03c6ab4743b37d406ff206f8bfe61aa1beb

SHA512
9b5ffcf5af4f61e689e39db168b34ff828fbf0d665de5d2696855e04890e8d335ed16e34f34b05284cae2ced5c5798323c6bb556ffba5e55d973dc0bab29d43f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\401A78F1293072DEB76E18955D685FD4070B6625

Filesize
16KB

MD5
a82818cf626b316c9a17b26cba99763f

SHA1
aef88415d461d5cbdfb2248112f1aab6f4a145ee

SHA256
861cfd1e4605261323e791362f0943192252c6915eb919c5bbaa9eccbff52999

SHA512
5e68022eb08accef64e1a3d4948a18696ee23d0f82b432a22968f76d1bc6f30fb837c5497695d77e8a9e4ce3c8ac8bba7fa344c7e55fc0dac008faf54beaed8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\408A18B8355DDEDBE289CAD44FEBBD7616DB4434

Filesize
15KB

MD5
ffeac3a514c034cbb1c1a5fc1ef6dfac

SHA1
43388599f75b5fb7b23fafd33b4a789fd168e734

SHA256
36b39ef8483000cd0fc81f1f89cbcbdc64ab1a379539362eb7844d4d1be09d30

SHA512
11f76ca03b10b0bdc99fcb7f416b4ec284c09de68cf07cdb7150c71d6522e32f7c6dec2c9c9373f78c68d6658551c573e02bdb6f114f2e37d4f63f74f6e68a95

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\4E566B85B26171D9470805D178EBC53F48961360

Filesize
39KB

MD5
146bb6d1bf542c93a3153e2f4a19f81c

SHA1
33ef3875644d17732e8bb741ed3d315cd40d4c6d

SHA256
982f02c6d0c76edaf8d08de74da2036c37b7e40f1a32128fff2b3f57c4d932be

SHA512
a3812829863aba3e6ff684c6dda9151e58296f40db288319ac2e9e83bf9fb26d908a984eb5b04b207bf56db4ae4cb709d5d9febc4f077fe1a853ee592ad68852

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\52AAC426094E73B9E38EFFA77614941F1BB93757

Filesize
13KB

MD5
dc09c31be18b64947e8ead983ec5e36a

SHA1
dc8a3ea90ca2fc8daf68b1389381c3242ea609b3

SHA256
c13a96fafa60ee96644d8703b0b902a5113e29bb047f42cfbe18d9c47a2abcdf

SHA512
d31d0fca01c50d0eb26a5f7cf67cb75d9d3cce1de91b7b88b2efe23b738987f3a0052ad538836ec1751b371fb758e0d05a4d5ed2959fe8099db77807b67e2520

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\5524427E76785200FACC0DF8A5808E07217D7E24

Filesize
14KB

MD5
3a4b54fdac9273ed4fb22629b28c3a58

SHA1
56357273fccf6192638e980282a3ea1315bb2635

SHA256
6706afe020e58bc145b97e79f1eb0a6dde111521911a9a830021cbb671d06871

SHA512
850b4c2d98010986d09448282a57846929a3803d2620f3038c49c711d3cb31ad155e058a6e07bd8aab26f9dc7915c74000e94a3df4ec2faabf2c02dfd00b42cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\6171C3DCD3501947A8FD700724EF6121B8CDBFBC

Filesize
17KB

MD5
fc2d61c5bc18db4b709271dd4bb12277

SHA1
e5d6181187b111a00bb1db89facfa6aa84995089

SHA256
0325f4605cdf3d4be0e8557ec828bc08e28436755ed89955b89c149aefca3470

SHA512
90f876f8dd0c9e437ae1182a0895f59b11f7de10555894e511ea709eb4b54602a80463a629c83b87beaae0f4e28d4355d1e3f7c067ee17fd8304fd34e7129e4a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\6A693CCB759B65C699EFF3AC209FBB7D82DC9C0A

Filesize
38KB

MD5
bf35e0cfce29d997e329381b0c54d6d4

SHA1
9d5aa91e31e357d532152911f3bc6d86d69913f1

SHA256
7b88b9a634001500d3baffaef7d2209da598d01cd3ab607da7d806b1024593a4

SHA512
225997570b4be6405c6ddf3ebbd163243d26358d3bbf60a153a0eccf11025d95373e1de20446ea4e53282407088af9f5a9d7d11cab75d64c492b987daac54c65

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
e13e49b53e00b86d39df98c4fdf3437f

SHA1
3c6c8a49acc26ec58fee2ed0cef1598e124f6dd0

SHA256
657717d8bba84dc820c946e569364d01561e1a659340756521411aceed13a97e

SHA512
06dff4de745092178aa40d5212bc19bfa45bd37bd41c4d7739c6f766c982e17ecab2a3a514e1b319680123eb95bbe804e27e646355d5ef77a4b85416fb73f80c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\71D402D25B0FE6857DF4138773E16D55A2C04182

Filesize
144KB

MD5
cf060b37c1406a2809e72118a2d7c3b3

SHA1
7f5c02517318bdbfb9b75df3cea66feaa1a31382

SHA256
79326e0b05e4e8dc248686b996202da81ee4a72534e7ad11f687fd4480405982

SHA512
2275bc061b43dd556a491ca3cb4c293fb3a40820d339fdabddd54a87d41e6faf202219eec7bfcdd09940d4440f9163a05a4ccaf8e0af03332377854e94b98ae3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\730D9220D19800EBE89226207EA2C64B227DEFC6

Filesize
15KB

MD5
55d5ca175c5fa7a097bc6d3fe68098a0

SHA1
79ebaf80a87c59aacaeecf7c3e04b9fcb585088e

SHA256
75e973aec8c10fe8df388b019b7d45dfd14404db2d6e565fefe0996f13086ecc

SHA512
d691826e68ceb7857ebd223a739326cf76131f3191c15e8a72f8ff27ab52e45889db7fa2b734455dbd68cb2918dd2708d8a4246633e26aba7ce71c2268857f36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\7B9333A62D64FB7150C744B39D020424A4016AA5

Filesize
38KB

MD5
422f6713cacf97ee00fe253b6d2395f4

SHA1
8eba3401bba41481c785a66b1af11684613fc45c

SHA256
aa87885c9fd9366332c51ed605186ea9b6b9bdcd12b58d00358ba5d4ba397aba

SHA512
157e9fe9fb20c65f52a27d5d50c888db5dd4355104230b539f707154ca3d6183bb7e0cab0f1a71b93632e5a8bebd16c8c691b8d99e07a53793ba40785be814df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\7C413117EF936A3D043DA56BB3801929DD5164E4

Filesize
2.0MB

MD5
9117a5c60ef3457ae128d352f34eee88

SHA1
ddee07b4c195b61c18c258f6cde966d87dab1072

SHA256
d0babd623bab0e4dcb9655a28db8b08b2b694d4625487b5bcc27efd040447246

SHA512
cee3c795be52047f511d8ab28a2d6f4170ef1166668c3781fd4791b9c4731aaaad00f9dee6f3cf1adc4858cab1c7a5679762783abd9779b2a66e320a36f19401

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\808EDA8C40AD26C31B17AB7CBF563B59278B4CC0

Filesize
5KB

MD5
4088faa16a0b24e8cd8db93cd55d15fd

SHA1
4dbe1d90c73b9e2e8625fca310fb4603f84bb14b

SHA256
c644f32c9cf2ebb8ac8c8ee52288fcd5fa364ed838f6b466328404d58f4fe1fd

SHA512
79bb12a718633c52e519d42af3aa0d87c908f9ac7d65ffc49e6af76f1e4f3594fe44fdc963db43ebb086b424f3cfa8833ef66287eb67775b50e7782e62ed3ba2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\83AE208B2D1891F2938898ABB1D213CB8A32D7FD

Filesize
320KB

MD5
7f5b5e19afa66957b70f2eb6d6a97f8e

SHA1
3d8ff38d1cdd8c96fe63e6fe0d2af4ecd0161f21

SHA256
42def049083cec6a4f9885faf61efdd519a79c4aaf02fee373c8445900922e4a

SHA512
1e04647adfb1903bc4bcfe3004d27224d0488c912789a6056cb2a636001fb9b93c130495c4ffe4c81e6ed9ca32b9bbebef60ae39923780944a43ddefac53bdbb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\8792BEC4E332D3DA45F81D1539C1F565C98649BC

Filesize
340KB

MD5
e804677937ea9742040f25f75c01949e

SHA1
38f6a9a7f9d261fa03938f7263a3dfa212331859

SHA256
7334b7f73972764a0289ed0e88bec286f43a7c499e6d03d24cd4e74612011d89

SHA512
e47c631020e3435ec832fc21a024fbad1a7bc99cb00316602d2ab4be76b3768a337c05b77354c4b52c3bf2f0f3e72cc9ad197796865cd94ee80e83e2ddaff3b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\883001593F8F8F22838E82324A07EFDBAC72B444

Filesize
34KB

MD5
3997245b11fb046dd34485f7adba2f57

SHA1
e1c6560429d7716acaa5a1b4214818958c7f989c

SHA256
8f68dcbb8e34a081637abefcf774d2daa5e48ffd592a3f4c61eb61d162008f70

SHA512
76781c59f0ce592860dd990cf628b06d83a1474d34eef602c19fbef2f422eacae27787dcdb89214e76ba01f90032f7227b80a370f4cfcd002c9029b347c9f71a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\893E5752B17C922BC03F52E66312D9461E3AEEBD

Filesize
19KB

MD5
6a0c3e0cc2861b3bceb281b196aaca68

SHA1
b6821f173c3d14269d7b46d905fc03c3d0514ae9

SHA256
1442e670989622e9c280fbebe833096be95a1462771a9558e01ecb1646d8fbb4

SHA512
8dfc58a02ab1c7a39d754ca454ee1b839b461a3e4c00035b7f87eb4eef7c8cd5925ac9abf06d0c7af58719f50b6506c84d5e497dd0eccacc8d2001421f772fc4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\8AADC122BECC7CB710792EC42E7E86056CC68F50

Filesize
33KB

MD5
3b3e4bd62c5dc62d0ec3d3456d39a451

SHA1
2f77c497a92fd4f126e9f0cd2241c6cd2b2373dd

SHA256
738dd6c229ff819df4ca81d9586554a675f3c413d3903ab721fc3e9210f798fc

SHA512
825c70ae1c665addf993f844a8a0212d3caae8e16425d15fa8441c34fe1f6c71b0595a4a5f3e7849f44e1888c91327bc31d4ac286fcfddca8cd5a33da927a48d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\8BEDEA9D51609B0EF5FAE4B7E34EE86D752D295D

Filesize
19KB

MD5
9705babb92212eeae3cd986d3ace4fc1

SHA1
4052567d9993bad0a52f08d2d2efa3b7b3e528ac

SHA256
f7f110688542015310bb2d1751010789b524c9984dfbd203e0d6c770c0139bf9

SHA512
1d64fe80c0cda977927da8369f8332734f0153ccf60906ed3fb1e655ca71cc373243e15ced6536c1b27e06099360bb6f3ac303daf9596c781b5ae4803b49e8a3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\914C32E3A583E48AC9A8A42F871B51B54F4A3BFF

Filesize
14KB

MD5
6a2d858011f8c318c8323179521cf318

SHA1
87d9c1d717818b67737001e78e2113bd0c04476f

SHA256
2c3b2182953f2d57130848335c132956bb35097001cca28c7a4ca09d42baaad9

SHA512
87c689c83fca9e924cf3c35113cf925edfaf5fd3dcee0dd0cb2da4283d688990a69f6d34d8bd035c1ab56aa9a5d139e25f57b4c04f9cdd30bd1bc6c58941693a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\96DBEFB59992582EBD3CDC6FA0D103E94667BB95

Filesize
17KB

MD5
e49f7d3de57b67acd26a488ea0e38691

SHA1
ff07085d9b2aa3931577905c2baab70e6b8d69fa

SHA256
dae9483d7a2c8243ed32f962abee975a22b0fba1e07ea35791ccd9daaf95820f

SHA512
f8a838b532bfbf2d3da1def53a2f41a6c16aa41acd4ddf5e1701ad56454e037c521a63c4a94853dafff515c7d7b1cd7095b1e4765ca93e690ba1d44d76826248

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\99AEBBAA41E92D3D1310639E7262EF8C48928DA9

Filesize
54KB

MD5
24847c7df06a4661754ad0751de29d3a

SHA1
4a1f8b0dc833692641a13ac6216067e95bcee4eb

SHA256
f779d736547965c1750b839da751fb7c23a7c8f19190e648a8f5457af12198e4

SHA512
aca3a8441dc03f7cccbdedf3a1c02db0a4a1bc4e10a848ac645c93771f9d541e612456299570c8a1d5af5b5428d07711af0cc8ef099ce9698dd8461ea8ec1809

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\9C3AE2CFECB55CC7676E7DEBF9F3FEEEB57319E8

Filesize
7KB

MD5
cfe2a6a04bde527b1b76c7e7d4a09169

SHA1
b2c8748d9ed2d3036e4b55b6478727ebf2206677

SHA256
c8fe0e5f3bae9b8ce084009f1d44a288f165213c6035a21efed98f706198966c

SHA512
25c3886e286a690942c70d271b820b8768bbbdc8a91d9562051cef0bd9e67260fa3d64a84a020014955d42f8dbc88eccbfd8620aa006b2a699896c1874892d98

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\9E6A3AB34A9F4D30C5EB9AF0AB89E6D251622D40

Filesize
71KB

MD5
30af35f13a758e1236993724ef288b7b

SHA1
9ecc406c2222c6be65591bcea781b44b8d31f098

SHA256
1ad68914838a4aaea26b15f5f3acb22ad359856b20edc7ac0bba2d910df7b580

SHA512
a1b410bc80fc721d9fa558798ef0e0bb068302471f4671dc12742c7b50947ee84b0c9e6c53ac24e169f998a6d14f121e320a758778c15fcf0bb92ac7ed47214d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\9EB496E7EE0573B750AA2F165C2A7817AF062669

Filesize
139KB

MD5
ea6b35a598631874b6ada8449a4a2b74

SHA1
aed5dd549a6b815d5a7f0ae9b9ce46129186c50f

SHA256
d21567584ba2f138b48d0b26db614ec75628e61a8385c036b0c450e9ec213e40

SHA512
a9cd425219bfd236bbeb5c9b15290aa86f03106a5e29acd1858ecf6df0d89b19d95a6d34b59583a66d2f48958df37c75b085c0e48723acb491832dd4780c7fc3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\A49456A2BC2C2BD424F15F21A80B76C80EB72078

Filesize
41KB

MD5
a2b1318664a4611142b3864da9905ef7

SHA1
048e432aa562bf02a3ebbccd81b9800145428451

SHA256
edbd74a3307d6e1af4ce9bfd7b691c06276744f72c4271457ddffbabc0b3137b

SHA512
648dee0d13db160d8b539190a06eaf6d161701580fab85facee8a02d07ed62f6c5bb36b3598b374dba1c9c7115f6aba956714fee9477550b0665aa58115a9252

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\A54BFC018A94D8CC549E6D8738E8DFE274855EEE

Filesize
29KB

MD5
da76dc44bc8bd2fa7547bb025f854ec1

SHA1
d83b865444c3b88f81649cd7808e1b146969102b

SHA256
7e6b1b431af480d981b3d38eeb00fee1e3f84f7b47a6ff1cdde7c73ed1e1e24d

SHA512
a4370957842d09c10f0deb690d01571c835f69539866104cdfbcc9372275d87eef89b21a9eaaeb6a758bfc3660f15a5e57b2f17b813bb648d0849d98ac844f13

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\A7BB14B0A56DA65ECEC7795DCFDB9FB4C8E5582F

Filesize
7KB

MD5
b6e9fb1b2402c95ca366b4e3ee169151

SHA1
cfabc399bbae9e6569ea73713b3c1503196c35b3

SHA256
8cfd409108aedcdacfeadd3115de45fbb2641080155b45f20c10800007867a7f

SHA512
280154df5c89c0e6a977ea697809f77ddcd12c0d80dda44188fc698449030067d512470563f3820e7eb1a3ae53db058c14eff8f3afc23069eb9d25d4453aaa1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\AEDFB4590CFEC0A7A915638248F0401C3F2585E9

Filesize
48KB

MD5
6fd6df9507a50dfba79b8f0b352475ff

SHA1
c6ffefbfabffe783713263659cfecdb917b814c3

SHA256
7649bde690d51f759f4af96a30a530a30ceee937efb7e83ce43c081ddce67a5f

SHA512
b55f33c1eb95249276e6a18695d1fed18e0d4eaaa0f59165ce68d0eec9af05e5803db92b19621b98b392b2619a8ff345ce0f5e28475b840f07dd44644be68fd6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\B178C8FA35DC781B0A367BD5189FC48B2A821289

Filesize
35KB

MD5
f83e9afb9e1e125de481e48e33a4cfea

SHA1
832612e74e5e684e9d0e3f39414b8ca5d033bc7d

SHA256
33f08dd80050fe895a60f042dd35b5f65e320662f3ab5f401b2ff6c52ba22639

SHA512
d7055b9dcfd3c44881af0b2e34ecbdf7a23154d565e437ab13a0c28a59a2cd2bd7174d684fa6362cde2555588c9438b828a80b5cd1ca761ce874ee80f590bd90

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\B3054793C468DD4F0B3EF12CE53CA4F2BFD333A6

Filesize
5KB

MD5
82af6e067ec4164113bcb3ccd665f165

SHA1
0aaeabb0d37582db05954767b7f2d87de55e5414

SHA256
ff7c1bde54b838ee854a9aa872aa8c040d96907a9f6094a44e40c185d850c8f9

SHA512
94accb552a2570be199ec7fa3e44768156b621a9ae68031678064c6acce35845d0a3b76a4bb8f668b42d5fd2f20b1b365e88e20afc2e8711568fbe212fad7362

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\B56A1A2EA4376B519899055B8D4A3D1067B57504

Filesize
18KB

MD5
6ae55b37010e380f891d6a0a06a87b3c

SHA1
9776515fdd3060df3c09b1b328d8a15f8969e1c5

SHA256
ed442986cf6c7a6b90a845fc3446769441d026ae64ee501c15d6934256407559

SHA512
8e72fac8421d281536795e2428358d05de108ad2261fc135f07ce54c91bf6999e8f5368f7eb12bf122711538b71388f7dff52cf21c132f0daafb88f98cee99b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\B8953C9CE846AEF79A17A09C295C86EA92208F3D

Filesize
24KB

MD5
6a81779b2cdfe0a5425f8ce76ea6d68b

SHA1
6260df0d1355b90be46ac3b4ea27221854278321

SHA256
93952f271c4db43fc1189b9cd48f54fc9f748e213237c2b39bcb4a054d80061a

SHA512
6261293500761ec6ad669c3dda4860a7aea6bc09a5dcf4955b44566a2430498daa2a48f9a8aaede0266a27f3a824a9f65195f0b832089d7b61d0e66da938386f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\C038F9A3428A65FEDA3993A69154166388FB5EE8

Filesize
22KB

MD5
06224e5e551839ebd40fa67d5e384227

SHA1
26b3dc4dcd0f6283ce1ee4d1b253dd122ae2a9dd

SHA256
5d962ace4c157413f60d5b5753e36ed8a8d90900091d7914c2a24d0da44c61b0

SHA512
f7e4dcb2b6343cf79d343ac86a6ddb2b39a2b44ae15a13773ca53fd7d36468261c2f11495de9ac5317d66e897e4b73ec17526159228a73e14b02b414fed23093

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\C126D7488B17DCE4BBFC58DE78D1DEF3300AA0B9

Filesize
56KB

MD5
76e80f81769096510a67095feb408063

SHA1
5f2b78e73762276b54f50126ca7ef884575c60d0

SHA256
f32780a3baf1b1a6cbcf7bcaf625a8b702986faefd80a565ebdb98424e1031d1

SHA512
8019d6a3b0bf16b5614567e36683746f6f0eb81ad51426610cb9781e0839b1e8030dcff89a3c7f10bc5d9b2da3a1a6f399b2d413e9021660652edf5e96c0f778

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\C3F1768A77315DC132DB9D6893152153931F0859

Filesize
422KB

MD5
a2a69e5d0b45e19715b418ff8795297a

SHA1
a27c87b82d64c94ed6e002b284bc6b95ff25482c

SHA256
4eedcdae80d4d848dd43bebd62cd5ca278fecf8ae1b5e3df327c62ae18bedd12

SHA512
3c60cbeb61d99c77b1a50de550cae5e9ff41a8d8fc1a7bbb67bde7cc4eee5e816a1e7d681c3d39530db3a8ddcefb8f940696ff6c46ec88f57fea6eb35c0bcfb9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\C5F0B0FC11AF926EE75C59036E6D39E67DA100B8

Filesize
468KB

MD5
8569f97cb4a6ea22ca9b458a1110d343

SHA1
4d6fb82afe181a33a7dbfc2d4a66459fbe6a05fc

SHA256
4a81222a188a5b74a55b8f92abfce1a5901c96f4dbc8dd549e03e91505377d65

SHA512
a19e6ad43d7cff957a3f02368f749e66a5ec0795fb28038b773d09750f6157b29af1e1e93569f8a1c7474346ce5a6e66f536757b6f46cb9625f13d782d5317d9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\CBF4FD4ADC8BB22C740BDBD09DE93BE5541BF210

Filesize
6KB

MD5
ffb9d9b906490c12a522c42c7228142f

SHA1
eda5d89898d4b30ef0f17071140a1a1c1e56ac53

SHA256
b7535196c9a24a32c97a25b8463dc54c474a0ab2c9d7b2a29ea865c2f8c9c300

SHA512
04f5820cd60ca04e69e793b4452e28e1472c125a215a21f352fa92392e9abb7003d2280836ee753ef236e8340814bb0c77f83574c5e3fd7870053e40c7d2d9da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\CC56D530A171A2B195D73254A65896C0EE9596AF

Filesize
17KB

MD5
40c669ce92c5f66cef45d067fa1a1481

SHA1
ad7b826021f7b8f346cdc8e23d6f6affb5b37a2f

SHA256
ee6e26372d856c112c8154fd7a0bf446ab19b04562819b5168056a5a051091f0

SHA512
b02f75cafdc84f482992571f6001edd3d2c3e7d52fff2f0df7a6073b53255acf17fd6fa596e591fe95a91e9fe80ad50a184f80cf958cadfb587db8a822b38a43

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\CCDF696C4D34679D94013BD8D628D7146E0E5C15

Filesize
23KB

MD5
fbfecc8076c74f2879c0c89620c25b96

SHA1
1ccc3a773fc74124a0369dfebb159918170cb52d

SHA256
40fdfb2ad183f74efdba10d6e2dfcbccbd0214a3ced2d46a469913fd5c5330ca

SHA512
fe6b2f8169a8ad5e9589cf708f07dea48e4476f3beee5b23c5c82f08b826819448ec9e6f7e25f8a90aa17e808b8ec28b3a4a69d1c78cea49eeef4f9fe3d587bb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\CEADE5A851A906417B7BF38489E4D43DC3D00325

Filesize
44KB

MD5
24e3dcd40d778386c353f99670ff3c07

SHA1
200d068f08d6a81b9c9b7a738d66ad69fdffe0b8

SHA256
396c1f4da446b0184fb5e12672eb3c402549cb9da568943bd7765193980d66ab

SHA512
7dd49d9afadbc1f5bf1287cac762d932587a8241415109016b2ca32ef7c61f48caba98099767dcaa6612d71d882c7c9656b9549be29284b065a220eac63c16f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\CF2C042543FD2D65395423ED3161B36C2084FAC5

Filesize
1.3MB

MD5
909f26088aa6dc9048225c3986558611

SHA1
400cd2fdb6b8e2bb3f12a3ee03707d145d78fa75

SHA256
0a88de785bcad5e805bad16eac34b0039a3069a4f3cfd005156ffb5cffb64568

SHA512
952f2927a9b8987d46cf5e5f5e5a742c5144c30ca4678cad04c5a4a244a41ded72cf89472418012a941878a74fd7184af13af2c8ca3f7bdf873f2bf8c4daa97d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\D6E9CCDB49E4481BD4888BB77F22C2FD9215D53B

Filesize
15KB

MD5
34850e3e9f9f14712ef461c3be70c921

SHA1
1588443ac23a9c554f1bef057c22f94fd084b2a2

SHA256
f2231c6725ab02f815eec01990ce2d0165d6f2afa8a0833ff9ac6e42cd64832d

SHA512
f4b4b03094ecfad32f891acfc6e75467c99b8a40f35b7a2ffe0aa0ea4eaebd16e2e368d5e0292e438494900a8d289a6aa6014a2e6f6e78a29d510e9dab2f6982

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\D78F267A8925EBEE76A15415D4DB4CE9765181B2

Filesize
32KB

MD5
a14e03b184f43ef4bb9bbb6b0c550a09

SHA1
df9ce232604a8b4b93d1b6ccbcf98658c1b1f8ac

SHA256
229592231bc9583b7b0cb77d42a370e0c869475c69589afc7f2345e5efa8e7ac

SHA512
008798acaeb16964b72ede3a24e1ae38f1161a73b79f533b12181a9a1b41535266718e256677a56f977b15a226bb6cfa105215e612f9ebd62f5b9dbcd48d54da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\DC904F6FE13AF2FDD1A89E5DC2045B0E5EE12A27

Filesize
224KB

MD5
b565879f738cbcaeae51cbab665a1ab3

SHA1
05e5446a6693a49d1c0f5ae5328fbf9be9fd1190

SHA256
5475a695e40d94a3d42204631f9e1b055dfda4711d0d4a44d8900bcbe636257d

SHA512
64d7456b85bac5fcdd146e0e3060ac8cf180da4a0cead94a166304fcb833fac88dcd460bde56db32362871e4a7af5c8023e7770c48c4b6cb6b4037ba77a625f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\DC9D9F0C28D6EBD1ADC348DC29248B1D4BA307F3

Filesize
17KB

MD5
270009839b4acc87e42e5aa37a130f7c

SHA1
d58685906ea3dc35d0dae6ffc7e39d8533dd673a

SHA256
47c5658d1bae2f38425dc72720d6613020c2afaf85ac54e854e634f82d270e54

SHA512
493259eab23f08ebfc7cc012f3dbc24dbcbd2be89c3d5815e65f6bdcee23739018b8242b6c869469056c0a211f9ef55359f2dde7c2eed078b7b4fe40c5aeac0f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\DFAE86F306DBC5934107B5EC3697F9EB95DD81F5

Filesize
17KB

MD5
b9b83692cf743657786bdc54358c8d9f

SHA1
29804f3ad789a133b63886bf52013a1608e7911d

SHA256
75f2e265a8b4517b2a0c7621242fbae2c1cd2965a94e2288cc1f95566e32956c

SHA512
f61273ab11b0397d452fbaf3a40466591b1ab896ce5834beb7fe91dcdc30320a44dc12a860cab75e0644d986502ccbc154e5bb84edbd071b7a8fc30e584cef96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\DFAF798699EE7D2494A7287D4CF123272A2A18BD

Filesize
1.1MB

MD5
6fba2517c36944e2ac72d7a479d324d0

SHA1
2c4ac39849445ccb1953e4ecc6387efadf2720fd

SHA256
f51718652ef86b065254cf3b2bade93c0935d656d38a347a0f72360508df37bf

SHA512
2b49527df21f0299ece128fd53f07096601953be8074f9d10ec0b6eefd55f70390897308ff3a989ecab0c80c6ffdcf28f51fcff1bf9600d857a6cbf4b7383fbd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\E3E096661CC12A0FFB4E42A32E6157FAAC411A71

Filesize
97KB

MD5
a920305fde9eb5928df3f2897aa24a34

SHA1
3f3aa18806204a63bbff4be19ce2f428de789c9d

SHA256
93378351323ae3108c50564621c1ce752e63537a58ddadf174bb783d4badadc3

SHA512
faaed9c17fe72c63d17c866faff539abfeda5b8d69064936c38f0a244ea9b3e585e2a8b1e2afd7088a00d404dc826071cb35b5e43550887e76b3c78b24654d1f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\E7F7A560FAB7054050F81D89B8B3096A4AEE843E

Filesize
112KB

MD5
5990aab5ee0667888c6425f150418b38

SHA1
9f4c58e27d9bdaa1e31c3c80d1304e47158236ed

SHA256
f0819cea6c1fce1aca73bf0366df8897582ecaeff136ce2fd923b29996dba5b7

SHA512
aceee489add4872f06610f4b9871acc7c1c4ad89fc8aab0494a2ffc7bd25a41b84cd581ed06d0e215d9e8a90517abae41012c797d461456829707eb1bf962b39

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\EADE07E1F9C8A3E8BF0FC0328622A447B3293880

Filesize
20KB

MD5
b463b23d10669c6a981be4eb2b6c0b54

SHA1
a49e6de8ab86b8b65e6f00a6a9ab813d50e2b5d6

SHA256
3dc5e66e0fc9d1c0ef7cd4b8c9200d62bee9cbdfd54d3699f12c832f772ee6e5

SHA512
96618c3cea660fca025f8fab9d15f621a579bb29d719453c094799126d87a59c50c849c97467be9d0af07759dc24f94aee7ef97ea2f1ac0bf259e04a50cd7e53

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\F0BC12827713E1B35B5017737E84F88577954A95

Filesize
22KB

MD5
2d83b2ff03fa25a5682fa38f1e13e57b

SHA1
b10f3eadaca68fe1703600c3e322ec3eb85d1eaf

SHA256
76b40d2cc0edbadfe8f0da207ed3fb420b17a659d17827f3c37632ad9433efb1

SHA512
cc2b893061c5fada985488341e23c20ce55a5860dadc2f7056de9bacfb2a9c6e0f08f2119ef8a59b3972005d6f11a65feaf95975570b345c94a9910136d0579f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\F0EAF5000FD9C2A30FD2826A9F349C1386795C38

Filesize
70KB

MD5
0af44041f6b36b342c3ed1d60827cf7e

SHA1
4e1a6cfdb88e7da6e099a8d4b08b6fd7ee9a8dd3

SHA256
675bd4d23e7979a7ea6ac6d7b7e210d356eb1f7998ebf487318797051001393e

SHA512
525352275ccbbf0c6fde5adfcd830701832952665bc34b15dee63877c6b6704c3bf7fa140c9abcce83d372c5252a219202bffab185eb6ec70a697bd3074f9951

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\FB34FCE5F6BD6E98B4FAA44597FEA4166F4D6C17

Filesize
36KB

MD5
889e7997d8aceeb204fe4174e0c3eb0a

SHA1
7c3d828862362ead4957b82c984bf0038de99217

SHA256
1fe04267c2e0a2afcbf4ee905e6892cefab381f1fce10e38671373b855451ba8

SHA512
587d69699057197c511cadb02fd18ec53e3a84abb93745a3a81fba6084d94b036230876e88b9a7f1ae661511579adf27c3578dfe08a10cfd89c7a0a64b60bcd8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\cache2\entries\FDEA89CB53BBD1C5B9E4B6863408723BED43A173

Filesize
31KB

MD5
e66f2e634b78aa8a3e2ada3375c92e70

SHA1
6b55864311aa95188b56a20f40649fc44da1d026

SHA256
5ebe56c70e909dd80ba10b7706860c2a183dc28fc1785fcae882f5fd87f31cfc

SHA512
a6c48d09769ebe09d646e4094bc734cf4f3393d76b59cb742c85b9d5d253a75e78b1bae9f2fabbf4a0985b910f917ae68ee1d7f387de23ed22a15437e87b6c7e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\thumbnails\447c1d819532470f427483b5c2ad32a6.png

Filesize
119KB

MD5
a8795f26c04f47a7319046b04d2a9adc

SHA1
212007b558f0fe2c857e9ac95f402b2c644ddba4

SHA256
8751e4d32242b901a253861ae0b4ebd2cabfe207929701424e2623526db99352

SHA512
dd52f2a8f151970b187c0af7982ba73cf019e6e593bf3ee100f99c1a3a384f413dda8619fa4bc5c93573a11ef1d0eb191a0154af616ef940f1cca6941785dd75

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3NCKP5UQ\microsoft.windows[1].xml

Filesize
1KB

MD5
4bedd6ded24adc3af65e2177bb5bee41

SHA1
d58a8b173f020e76ad0118cd71ecd6ca91543915

SHA256
b7a5ac42c92211a4ec0c1d5f6fd90097ff4ccc44a2ccf075b6e65d640c697373

SHA512
a5d1a13f065b85ee75087bb64dccf2de4a90e0b56072d54c8dde9f1eabf8530eed29c3f4af5dd70be1fdafb7f0d5b4b38ea7cac1142fc8e137664d3aa0017151

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
406347732c383e23c3b1af590a47bccd

SHA1
fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

SHA256
e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

SHA512
18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd8a800e-0c42-4e37-bcf2-1a81d0f1fa59}\0.0.filtertrie.intermediate.txt

Filesize
30KB

MD5
d9a0bfd2d8d4793ddab91ff348713a96

SHA1
d08b0ae7b8c5b9a1e19aed38050355c509a7d9d8

SHA256
b8a16b8aa341782601f35fee124bae47eb661e1a576a721691cdcb54e6dc25a1

SHA512
372440f8ebd47acfd0f0f1e76d976baf1f0ce6659616f57ce6e3d45fe0cab86a0164cdd54b16ce2030f61e5813c9f4e31000432555619d7dec2e88376c3b5895

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd8a800e-0c42-4e37-bcf2-1a81d0f1fa59}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd8a800e-0c42-4e37-bcf2-1a81d0f1fa59}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd8a800e-0c42-4e37-bcf2-1a81d0f1fa59}\Apps.ft

Filesize
41KB

MD5
d826b073e9fc24a1f76c7b0586a622a7

SHA1
6462457b5391c422a94d4e7f89647ea0a194cd3a

SHA256
eee89872714980cdb853b07d887f3e32e1fe848a6dbcf2274f30e2cc4570ddb1

SHA512
3e85e93477da7bc5f9813bd9c1505962c8cd8ab9eab797b7738afeaebbc1992cf4eb8d813b1af1367aa0e2af05166e71015ddf51d9deb8c673263862fa91b5cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd8a800e-0c42-4e37-bcf2-1a81d0f1fa59}\Apps.index

Filesize
1.0MB

MD5
6895de3328959bf29703f3abb89a9a4d

SHA1
6ce97ddbd0e16b15feee74971427d55c5898aa4e

SHA256
45065a976b4f3762af3aa98cd6bb53d8849c43c0b1599856eab848b8dd055b00

SHA512
3120b4a304ce2480d461fd2aee1adfac3f69a9d6e1875d06e65f5ab878fd9ba1bfcc30c92b6026f03c577e561be9337023b6b78b3019fd9a95f6159a0169f174

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133774855573511342.txt

Filesize
86KB

MD5
ce2bc10a31d449421470a6cfbea120bb

SHA1
1813cdb61e1f6642e449e74c065558d6e6b75f38

SHA256
6fb6591b8e9a2c6e6846c65fff6867502e704604c154bd898fde999803cb99f9

SHA512
a25097f15cb5869eaa2007d78cd3866937525a71bd1e32b76d34bed7e33f125f3dcf7b6c446af1c6e9a89a436e22785530d715c5f036d12808bef010aeb3319c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anmerkung 2024-01-18 231511.png

Filesize
324KB

MD5
83a57cb2d51c58283f4b7c663182a478

SHA1
0673de40faa5430d80e4aaf29f5f84852727618a

SHA256
01d538ad6307ea0a09750b557750f1bdbd26a28a896733e69bdef4682307862f

SHA512
e2b07808a107c76cac564d8ec6f615dd920401f16be55c30555e9fc82ecbba72c8046b540ef351ba95d8a9fe7170d8ae64874e69d42f5d5ae8e9975413e4a07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMG_bLwO.part

Filesize
57B

MD5
63728d0a1d1d944dd710f1e547dd5518

SHA1
299949e52899f58bd602345238aedb07baa72e0c

SHA256
5d0999123e1e4f62d61fb4af1903c55db191156bbed7c3bee42d84f06edf4ede

SHA512
9ab4fb4665fc1664d437fe506ae4c005597896bec1a00a0023fcc53f7c5394f5e9b58f9c6d81588c99f33b64afa16d4c12cf6173535b15e947d8ca3717fe44aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXT

Filesize
13KB

MD5
7070b77ed401307d2e9a0f8eaaaa543b

SHA1
975d161ded55a339f6d0156647806d817069124d

SHA256
225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712

SHA512
1c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll

Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll

Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf

Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll

Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp

Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf

Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll

Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
6.4MB

MD5
fba93d8d029e85e0cde3759b7903cee2

SHA1
525b1aa549188f4565c75ab69e51f927204ca384

SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1CF6.tmp\LangDLL.dll

Filesize
7KB

MD5
9888fb6b91a680305b2a3e7b71d6561d

SHA1
4a7935da38f88e9f74f425078ee39eb6269c4e63

SHA256
81726604d47b192620bcf90d6e42ba8ee8b4c54935b0081655e08247d6b6c675

SHA512
f50755e5624bfc3a60a23a7dda012509c1e31d9772d6a0ccaca88e32ae8d4602e10e38003d78b1626464502db7ea7c47d772efb7b3ea7c3e2238bf3b9809f833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1CF6.tmp\System.dll

Filesize
24KB

MD5
d997606c77e880be2744c44128843d60

SHA1
92bb9003dc14ae03963f503e82a668877ca4295f

SHA256
abb2613ff851b2cbfb61bf97e4eef9d4912abcb46e04774ad84812ab75d4dde9

SHA512
714d7ce786e9fbb6f0d0e537a146a3a24aa79089669dd168b7c110dfba667fa7afb794b3dd2b93fa76e1d1771af3347a0f568cbb0fbcc8d9755de9e6e54382b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1CF6.tmp\nsDialogs.dll

Filesize
13KB

MD5
bd0d7a73d0fc619e280372587e9e3115

SHA1
0cde473dda5d4fda8190e6460f3229cae2571af5

SHA256
c7f2afe3a2424e71563e69d862dc027d299d84fba4ac1ba11e593361daec0a80

SHA512
914983bfa336f9ea019bf5dc9ee403af56a6c7c1d88b8092609e4026a3377daa6ef9a8e51a93537f6769ae165c264763645a363fb6a89f8689f59caf985c18b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
12eccb3f16c36df9554b243b0e6a642b

SHA1
0610484704b27bb19fa7b7074077bff9ae103f96

SHA256
b3974ca4d6d68ff27074a7aaaeae3c1d5b2465ee755fa3b392d59261ce9281a4

SHA512
ddf28108c8103b7a6497ad1f9883c76dcf11e5b7e18bbc202ba6dfca3dbe1137bf2335354dd52d93a8bba8d451120bd11a286a272442d56f444d744fda529d98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
e867c82b11e251cb5d60c2be08f3e466

SHA1
56f4fc3426040dd140ae0842f11919c34a5ba2e0

SHA256
d8d3ab6a134ff5c13a16c41d4a44117069c647c51f5644ed51a6153f07644691

SHA512
a704531808c3a0245c1e2cc9e9292f8b6bd15bd6e5d414399ff62aadbbf1d8ff4f6efc3d674369086908fea00127611ce2500811bbf9f4eeca013ed3d8472ebb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
22KB

MD5
667dfe926d57bf0d8426712843baa534

SHA1
fbb85850153c87be24a2045137e66e89b0b9b185

SHA256
723557257ee19a49cac8a121c0d35a8bb3f4811f1ede50bd6bd1f784fb9c9430

SHA512
e5008b44b1884477aaacdc3650a73a80da174a948f9ed505ecf84afbfa8ea986642b9db64e01ca38644590ed26af3d8d01c443c204a9bdbbd0fda552f4aaff9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
0772630595defed3e3357cf9ae532d6b

SHA1
02d329756677105b6dfb44c99fe55806ae31994c

SHA256
aa6de41bf0b4152d0a38a9b8186673e28ec218c98edc2460633dbeb3d7a686a7

SHA512
61c578e4e048495aa3afec5746d9fb5a2953db604ea32a760d516002b2b08ef89aa064c7bda58fac13b470a4d06e337bf0d24ebcf4acc5b8e1e531e4f8514d6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
25b41f51f98d3e35cf25475616f1d73e

SHA1
e8c59f79ed80783e8c73090247ead5312421ec7d

SHA256
dbea06985813bdceb2a4ce805b765046136142140c43f868fbe0cf7c459d4de1

SHA512
9a56d2da13490dea2e9a9f7bd5e9ac540ee9bca97d2f4c73393d281592ce2aa5c99ffa2f1725a8f1369a6b0643da2e4dc80f342f006aec00e052d84f579738d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OEU4UNEO7WFPCMUKJRRI.temp

Filesize
20KB

MD5
3a2246fd193a79699109ac5a5cc7d570

SHA1
c8d13ae4a8ff921427256879942df47c0072fc2a

SHA256
69a778b4fcf5cceee9e235f85582913645feec48d4c62c9fc40dc373c783a737

SHA512
40f77ec206e6155039d4f3e9301c8222889a0f53ddb1780b905c757fd0e0eead1ae1fed827d7a8fada99e2d5e746e7618300056c122377d26cba3ad704d55890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpg

Filesize
39KB

MD5
655d9f0cf81ffe21abba5cf876043e25

SHA1
6b2d8c5f9a422a97330a46de3189a2aff082525a

SHA256
1e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43

SHA512
f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\AlternateServices.bin

Filesize
13KB

MD5
d89b48516b9cc8507679759bdaf4c297

SHA1
7edb9251567a3be48a44d6d2bd2882bdfd58954c

SHA256
50cad9bdbf819ee7149f13de2b9c897c0e522c34f5844d49c5cfe3bbe42fdfa4

SHA512
bff5339ebbe9bb6a0ef71c7cf36251d22bb210c5c9572e4e37263b2f19f92109032cd5e0db547f1a110b3bd62f17e694a0e87044ecafc10b4586638e21dd3d8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\AlternateServices.bin

Filesize
16KB

MD5
26575a106212f8963b8a267f0e61953f

SHA1
7a4a6d18a1b582774b66b1cea26d48a21c8bd38a

SHA256
feec42d1e534def22f2dceff69f267de2f619243b3e210528e5bc1983e9b8d4a

SHA512
647e08d33cf1220cd3265d4faef3638422de223b96d07697b9b7bf39ec15185e652cacd59e24f2c16e56eefa84fb2681306e2829dcf4c7d5015df1723f2be2c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\AlternateServices.bin

Filesize
8KB

MD5
46605b3cb276ed28093f16eb862e755f

SHA1
5ff4c27a212582f030bfe9c688f943992968c38e

SHA256
5df002174e5d93586be108ad06d40f934ab2ba63682dbdc759da82f64753eead

SHA512
1618182f699128d9ded7d68033bfd0daf13a99af4448cf5843f8024de577aa50906eccbcc928b73ad9eafec849bccb6c92b8f1c58f8b1516741f19f14be53501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
57f1e38faba8df2dcfa4c9a0053304dc

SHA1
a8590fb3023b4d8bbd90229de3d573687d5efe25

SHA256
b5cff7dfb5273c515dfeb438a3beef57ab715aab5365f7d1ece961e00abe00ba

SHA512
9f429b65941962918f1c9ac256cd078704457cf0a4800778f5e8ca24f13f83901aab17604d3917dc72fa5d272cc05d62b86f29c2141b508aa14c5a770158e8bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
89KB

MD5
b855d8ab579c5b47e1baec6a1b4cbcd4

SHA1
02443698e2431978e988a5d26fa1f6261258480d

SHA256
d0f6c1ca1f352ce55e78174b623ca0937b803c74fc498d4fb0a614210918fd7d

SHA512
e85dfd209d9aad17a3e01075cfa80636bdc9602ee2889c5eb3ce86980a14d135bbbb78c4ab96a0170683e40ae88e7d39813c168994e064789830b3692d75203c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3d7ad10b7c32a87a330af55e5af0b3d1

SHA1
d4b064df363ccb9e437fbb77a5f5644aaf7ec50c

SHA256
c2e4d83af92847bc08c71cab88db3704ba37efe2ea3f379a7e7b6916a2a62721

SHA512
d66c40285bab1a87f27f5548139171a3c3308009c7c184f0a29511f3537745cbb05bfd756964414764f5f539c3299f61765f011b8db577ebb5fa6f60c493cdde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6f1ad4f476dccc1305e0ac8b57df4ab9

SHA1
f9a45611dccc5788571e715d5f9204db74ef2eff

SHA256
9d1998e8a3c9ade5ba0e805a980cf6d885ae5877e733c7a7d6a1224fc1f64c9a

SHA512
93818c32464e62d0841f6e71adea805be5d29ed3a7a3b48641edc52ee717f703e2eeda1e6b8f231936e3e387f0bcfbfa3193b8ae5dfc9b63a2184d72deb72de9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\55190b89-179e-4a84-ad91-b7abdf76d6b7

Filesize
982B

MD5
ec5b9aef56e5efc92c2ead597703f795

SHA1
8df4e02d89fb7dd7fa8337cfb6a53b5595ce4dba

SHA256
6dad3ec502dbc294737aaef787ff289fb9c6ed49313847e35806b1ebf010898a

SHA512
a40210c49f43bf7db73bf3eaaf91d38f955a648718df50576482bec3a9dd4eec85b17a9974b18fd602ed1c8d901aa4cfcf18267f696084794f209165a08fbe69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\5c2cf367-4d53-4ef4-a6ec-e0d9bd9cbed5

Filesize
26KB

MD5
3c7b4b384f2447ad2d741a485e0803f2

SHA1
a2c1acadcaba407a78ce7221c4f992bb58994df4

SHA256
e9d2bb6003ef440667e21bc62d3af19dd33c894ec10949966bcf0f1641b46a80

SHA512
d7b99edc74865adb7cdf46498506c06fa711e864ee5a8b44a17588a0bfd472320b6382853180ddb53318306513dd5eda75e0c46412fbb2b82b98c90f3f68d872

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\e40729bc-7675-4502-a6ce-99c18a075748

Filesize
671B

MD5
1571664ddfb6f8cab8274ef01e4d8d73

SHA1
8a787b8a4d216f4a9a959283833b9ae6f5b90b95

SHA256
8a48edc8acef53a462c1d95747832f3e3ea5170eeab8dff606062678fb261e91

SHA512
f7c3e2df8d1047f1e53c458fa5121ceabe6c50fad9608a2531856973e74f222c53cb427bd593946901490a8cb479d5ee0c4497de1ff065dc555fd303d963553c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs-1.js

Filesize
11KB

MD5
589c03a7c5e9c350d9691f5f05afa2bf

SHA1
caf6143408948112862695c723f3c9ec7d406ec4

SHA256
46cd42ae1fc0d7ccb02c695a72ad750d2252b807b5e545eeaed802f414db58cc

SHA512
2b3474be07186ea96ead47c4fe9424ca94d0f1eb74794838d5650b97e382b039cd2762e07be5afa853de8ada9467be766b8fd9efe9e912dde98932c143459f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs-1.js

Filesize
10KB

MD5
bddb1654daa8d7a30cfcbf4a0daef4a5

SHA1
a032712d26c81f4d66c2ae58468c18e9b24b4896

SHA256
41a225e49bad1f8ee54192a743d3f9a26e6eb1e7ff40d134c9b462a7ffedddc9

SHA512
ecef135528ccf6076cfc0150d46aa99748b40d4b1462b9c74ead8bfd1e6b469e316d35696ed7f361cc082aae9f06dbcca438e5f6c9e2086dbd9d052cd0abc094

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs.js

Filesize
10KB

MD5
2428710cd362ab061f75cc3ac281d57f

SHA1
9781270c8c99fe415ab385f4101970d2f12e5c9f

SHA256
77f200dfc280e7e2edd75ff07860bbfb71e5655f38468150a3e05ca2bc389c64

SHA512
7bb0af33d373f1f882d9ef6bc637916dccadd9b98e44eed783f9efb6cc5f16b05698ccb55771733d7a40d88e38cd83519ce69f9b890f098c19b00ae273332229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
073b489489242e0535f988b4ca10c645

SHA1
9623818e784df5e0a0a0c0381da46292817a4f40

SHA256
d1980aab8e3e39f5fb50b37563809a5e9f1787c80038bc7e680296f7eae825c9

SHA512
55e37d4546eaaccce3f5855afed6b71bcccffd826266341a42256d65a8393724effcdaf14d1e514d166b77ae6395e77cf708241bd7fd0e66a0acb63a23f4e3f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
75b255235e60860076f702e8c07b6706

SHA1
a3b2831a5f9c88ef64050027ecc4cc1ba238e489

SHA256
ee32625bf98d8d8daf58d051bfb90ffac679b7784297fd1d45c97371b57f4018

SHA512
bb350e84a8cc6fd3ab1d4fffd8c4b2a56624709704752b2261271e7d7b0b348bcc41a1ac6f9e666125aa99b2d91cbb23ccd20c075e457434f28c87e1f3c4cb8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
66129dc790d0800679432240e2a0c573

SHA1
4b41e78499b14725e3ffc5853cdfafe8b43a31eb

SHA256
f4967797223abae1f1f12fd81b7dd51b37a9ab27743065a9ab7f7a17cad7643e

SHA512
fcef8e13284b85cf4e3d8d22c161a9edaece9653cde9596f84ce0f779173d5a5f61f9613862fed713ead6c3dfc3b11334f444e99b8921a05b21a98013788c72f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
cf3757595b84327d70ccc2bcbf30897b

SHA1
9a510bedd2a2aa57a37b2e6da05cd207c6c41f2e

SHA256
d0dff731f00f96d2dc37ea53b756efb2ccd788a8f7bd3478df3b6f246236f7eb

SHA512
0d75a68f4beab4cceceb4621d6a88c424dcf58e4d10cf82f91f6ff5376ef118814d3515b1a37ab0fd0cfb841d7eb8956b7a5b323222f018c3fbcc643204b6c24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
ddd2ac309cb6446601de40809ad45625

SHA1
a1e6d802d18754966f19d55747cf420881fc3434

SHA256
bf2a333f1360ae6ac7b47d93c2f1a7a34a1d25149e7c757d8264aace8c3f9d2f

SHA512
70e8e24cab6275a1e1b43ba73b15b7b8bb125a4a6560f381f92147097cfaac02cb630f39a1fe8775794b025d7ce97e68eb9f51ea8130c7769b00bf58cfdd4047

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
8adf95c931c51e540b4a871900a7b608

SHA1
c4887500c65940403494a16dc74b2ca4dd12971c

SHA256
e0c86f79c981e95c9d356baf1370510c693d2c1ed6588a98386bc68ddf4da209

SHA512
fc7a4f3cd9bea28c5a5155ef23bd12f5105addb33d0a8f68dbd282d44b0ccca3c27986d8d93870178495311dab0629a4d6d4d8ad379dc3d499907a0caa467bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
d4e2ae6d4d50f0bd422c7ce2d057b72f

SHA1
d09dad3719a25108f204c7bd564288f634ae879d

SHA256
fc582d46acbe21cda259327f4c3ceed9cc2f475c320ca9932eeee07d9b993963

SHA512
0f75cf92a1eadcf19534d63ad33fb6e5a0c728aa79f812c950f31598150b3eb1efb7777060c2c1226d13ff778d8f7774c71dc13e9124f4cfd629435e13708709

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
65db44c18e4c710ffa18f27fbfbf94e5

SHA1
e234f76dfe5118990ce21b64e5ad57f57db76b9c

SHA256
b6ab06caca52094ddad0325bd157e3a891ecf93dd4f0af5957fe853153cef55b

SHA512
0ceb214d48e1b9f2f6baf10503adf7e72183b3d6e901ef7ddf21ed5bd9ee5709410467e085f2424c78abff051b94d68fb2c370dff876347b36c2ddaf460ddf59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
2437855be757587eb4b3aa369626393e

SHA1
5bbe2d3e8a444069ccd88fe0769947d1d8af02b4

SHA256
08365a9e024a728779f75858084fc8e4a6b5afad62d4cd41c191da36ea397ab4

SHA512
b7f8a5036ab83f3ff4d3d013a4fa64b14588c8a4a7034aa40bbb5a937071731e694a881d67d639d1e826715702d62608ecf0b279f23a3822e8c4f00ca8051eb6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\broadcast-listeners.json

Filesize
209B

MD5
97c3738563a9448365a735f5f29ed3d5

SHA1
15a81433236ca6e6ecc4e1c8d0fdb8523b265c57

SHA256
63221253f5c30efa214c2cd2adcf51a9c9f9a2c05f119b00a51c9579825c2c24

SHA512
ed98f42d5d02ab53a9e50f80b312bed4b5d05d053bec582cf9d619ef91251e86cf4f4d1123c645500fc1dc4673b49a8b7badd3f3a39f565ac643ca4fd0157ae6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
7fba44cb533472c1e260d1f28892d86b

SHA1
727dce051fc511e000053952d568f77b538107bb

SHA256
14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf

SHA512
1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extension-store-menus\data.safe.tmp

Filesize
245B

MD5
4739996064bc69a04af122214e11dc8e

SHA1
862b1f36b4d700a5d9d5caf12099f0a28f697cd7

SHA256
10d1811fbfa9bab315b60f991ca0370d3e250ff0d5f2a9e83f8f838ec14ad120

SHA512
d3aef729c70e0f7ce3ca83f88b1f70f4c0e5cf1be154cf37f12174ddd50a92a8b7e65b8cca3af81f5d4a238c91c83ef20c9ad0eb041dc2f8ff2dbbffc3501e52

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
16KB

MD5
9de49cd788ff5557db875397b19aedbb

SHA1
ac9e118c5c4b589627f5da02b18203c56d5bd4a9

SHA256
3cf8ef62ccf1727a902610a73f831f2d74aebd37ff18f9b44f748164270634a0

SHA512
d50087a7df9d06358a4c89f3b81d2bb88d1bf1b24f183664e74a708e4b024307ad5c7449637cb63d66613b9b5d59161a0ddc135627dd02317c61d88857625e3b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
4KB

MD5
ffef9f726542fa28c6bf1114a2809887

SHA1
2201c1589f57052663b37a54f8ab6891e6769195

SHA256
b848a48987df809b5b95f4cfd1a60be41d037dbf6e47e45fd0061078480425f0

SHA512
d5a28bce596cc53fe5e03bcf0fe9b3d67d55ad70eb1e6f40db1395b035a106d15799a3cee50a154dde13db3c8333300d60dd7f670632e4225ce669e54a228fbe

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
80f7bc5c372b1be77130e32d7d2ed1a3

SHA1
28959ce2f6d43647dc26828cb9abdeb4b5ad0e09

SHA256
da0ac238acb885e6b95656b6575b4cb0edc85aa9a5392f5dc0d22cd22ce349f0

SHA512
a522c8cb15c42b3384b22f8679ade01e2b7d15ad72d31de2ea7adc1cc600bd1da344306e973cd170e95b2950605c677bb4b18a5437ed6e49e35efc08d365a6ff

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
1a21fcfcda1ee61214a62d2390c082db

SHA1
d185eeef587d252f09ec656b7d3693206ab09f2d

SHA256
56b9362f40b7f3c34ea0044c190b4cca978642b3c0e0a7ee5b107a1c07122259

SHA512
bbb0e6ec137576550e4f4750a2da62a5a854643e172644da5011c7df5ba4b9e5994e789e1cd334291136532886fa27366c3472184b9a348d302c963fe52f2636

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
4KB

MD5
072fd1afa1237c422c1e784ab156e042

SHA1
19178a0cc614efc725788fa7045e82944c7a625d

SHA256
25b0ae17c496763991f80bfe2ce0c83f6d14ef8258c13fe4bf2671b56bc37297

SHA512
0a46f8d4adb6929074e4198eef6629190dc006724c185d3c9d9f30f839ed025124c8186821cff4cea3c5e374be5f231d6ee05f4262fcf2c061c780565e9d6c4c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
1KB

MD5
fd40cc036406de3d362b6b5c510fc273

SHA1
59947ae21359164a488b7addc1b3aacf497761a8

SHA256
38f96af438a38de0e9a0b4d4d6aaa8a0dfc477ac67588e723c2122f7026d2372

SHA512
7720d4650b4abbc6cdd9410252746976f3bb96b0c971f1e8bbf8859b530e6ef17970b61a213fa3f7d3ce71d86847158ed61525843412b056480077c690ee9055

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
5KB

MD5
1d25351700cb4af59d13ab280c8655dc

SHA1
8ffda9bc36e1c169342d1bc910aa7f9dbaba24a8

SHA256
f4c6f023bd73bc2d5df2fc1fb4cdf5c9dcc920e89348c04e60dd35b370575818

SHA512
932a8afc3b580771f8916eefec2caccad6dd037440e67dfb31db2e2133feab26937feadea50f4b67eb4fd82937d443eb1f28b38fde8e3687005542f232b0d4d4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
5KB

MD5
b5d1252692265b68daf4c08d3cf5ab0a

SHA1
ba07eef45aeaeb0de4052beb27170f951134dfba

SHA256
5b049d1a89e8b2f997a09e13f54a9bc56a3fcdd4d9654393fe909b05a9009754

SHA512
d93694e3010224a2ee3ee89c4c83054c183c54ae7ee2028ea0aa5718aa0c4cf5a0f28207606cc7e004a97012b493b1040598e920fa08e5fc9dde1e22f42319bf

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
865B

MD5
32ca53825151050ac3488ca48f5866f9

SHA1
4fa123bdc7ba9994f2d1b26d500619060ffae65a

SHA256
c90bf21f2cafc0952b1963361d061a24aa8a0dc8ce454c8adb0da9b78920f9d9

SHA512
4860a53562317f7b5c42c5974213cdf4bcecc981f766a3447b73f543e630d0ea11a16bdece5e7293df7af78e09a1a198b11d04afc1e9f3f9040f8868c65dd9a6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\default\moz-extension+++4fd80ead-b6dd-4ab7-88ab-d0f48382761d^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
6e53ce51ec97ac140b87757771cbf85f

SHA1
1464885fe5edbf9a7aebf50d24229ad4d03b6e00

SHA256
582fd010bb9b0c4e44cd48b139b730c32d3e55fe830ed817390036a9f4dacc92

SHA512
af3f9a51b455331306f477b4ae0c348a42f5a2401c7b03806d9040b8af249a2905f83857dc2923a89f14e3c521f634f84b33c9deb902355b2231b4cf51b3c086

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\default\moz-extension+++4fd80ead-b6dd-4ab7-88ab-d0f48382761d^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
18cbe73cfcf1adbaf01f6e5ad4391275

SHA1
4be8b4cc5a87a2098777755313234af2ef4118b9

SHA256
63d0f9bf966bc3096d641e1c868aed94ac154e5aead51d3d1bc5e39fadc8a346

SHA512
0997206fab454f9559224ab0d28fb5062d1a2ed6b1e2129fad385f78d3926d34b2b359d19f2123bf143c59aad26a411c53beec98ebe693efd15b6178af7aeffb

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
136KB

MD5
00cabc246fc4c6c2ad59184bb2e402c2

SHA1
9c1e169a8902eb71e7e7b47fe7deda813c92809d

SHA256
c9de7688046c00f3befc2151449ee7a8ad874c4461c6794ba6b896e214b6bf8f

SHA512
30fb61ec69fa1b56035d798bc3401d556bb505070c501bb7a4ceb9cdee527659b4109f1138357888874a5cfe629e92d3dbb96f79de30182169210838710fcb76

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

Filesize
2.8MB

MD5
7601e38928235136774d5d252b4a87e4

SHA1
ab57ae944de62edf7b7304de5dce4940a4065278

SHA256
68e1fdeb2af92904fa3dade402023dc211d942f1f1aedbce99c74d8a382d78d1

SHA512
a8da67b7cbfd7271c772b740b04d795327b9c924b6239f553693c1f795e4a1f67319d5627327316cc5fe9a045bfffd13bee2c0e114e5586955345817ff1add7c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
9.1MB

MD5
ac2575fdfccaed0a6df1bb07ff927c9f

SHA1
480790f23f5ade3a7d051b0a9dcae4d60d0a204d

SHA256
e506a9749e4053e14b397e030d45598ad55d710c8d3bba27f55d1563a1ed11bb

SHA512
37fe3c1b9a6e1fdd0c9df3522d62cd33538d7e10800aba4c73f030cf6ed995bd46ba3a1f18c196a47c3afc8c7e260690112b9c207ca7195279d7ed00621148b8

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
25.8MB

MD5
873993427192b8e6cb35f9fe797dca8d

SHA1
6444de6231c838e78c467fd581f36119033d9f6d

SHA256
9eb08feeae6b14aded98293b6d4c89624e63bd2e09a0b57b8a358956d1f5afc3

SHA512
94ec2fadadb607e027e0bb037316f45529c60178586a5b701d05c7bc66ef8d5d5249fc47380a6e2c73eb164a8d726edae9e14fd67296b33ee3be45feaf174220

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
55B

MD5
a515bc619743c790d426780ed4810105

SHA1
355dab227f0291b2c7f1945478eec7a4248578a0

SHA256
612e53338b53449be39f2e9086e15edc7bb3e7aa56c9d65a9d53b9eb3c3cc77d

SHA512
48ecd83a5eb1557dfabfaf588057e86fb4b7610f6ece119d6d89a38369d1c9426027520ce5b6d1cc79a4783b9f39ac58afb360cc76e05bbe8bbbd5128c5d395b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
937KB

MD5
f48958ce295af595f261850e33793617

SHA1
cf13f6800b5fc4217a5cc1d0b1450c1c753b2098

SHA256
460aaa6484bf8422415dfe08260e8536866e3731ed5b8b7913cf4b7b1333493a

SHA512
7a9de625cc9b7d6ffedbad19201558b191d1e32686c7f4417571b25838c47dcf8e16ca63772c94827a3abd6b646c8216962deeede6ba713180e0dc3bc7871649

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.7MB

MD5
3b4fab842371bd6f28494a288a339256

SHA1
cfca591cae4bfd28486e5a23b406e8f12e408942

SHA256
ddc7a6c3a4b50d23daffe8e364c575fd7df9af9711b14d153b09553ddd3670a0

SHA512
90f3de43a01853d0029e8085f2107b3640074aca10ba8ab9f73648f203f270974fe0ce4df882ba9320c2aa18e2048c058bd82d7816bda7bc94a8baf333a05132

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\000_README.txt

Filesize
296B

MD5
b699245ef09504ebc6f7851bcd00524c

SHA1
7aa6fe2d8496f4d23f401d5867ebd174f6c1ff61

SHA256
14014e6904c0a496afaf2a7ba6f63926d16d4e8695862d3af439954434765de1

SHA512
d3a56cb9f0e9fa3fa4db87bf5e8eabf78cccc297ffbef3cd1f1969621c1bb50eda42ae8ccd40ffb06aa69fecad18c0ba8f800b501f1446b8aa454d2df06521ec

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoNaskhArabic-Regular.ttf

Filesize
239KB

MD5
75a26f9ce250f3ba740481374081ff86

SHA1
7841512f9c97da85e037e03b27adeaac2024968d

SHA256
2d5d78e9cc27d7193926c7e460314c9da7dbec1268494dbf117adc53c171ac06

SHA512
7922811ec908ef6a39bb9e33927275393df06bfe5da22b75d924efc0e13e399ba495b00fc245c5a8ee3885e2f1de212dc366aee387b15a87d8726f69cad2690c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSans-Regular.ttf

Filesize
596KB

MD5
5263051e028cb83196239d4a3cb188a3

SHA1
e33d657a2646a020fafed4ea6dd0c05033e1ee02

SHA256
61b72eacd39533f0e5916cbb458abd7b3cf870667f63f3069dac2a75aa0317a2

SHA512
902dd869779426736ad61419b0a877d0019a9201e08386cbd456c6dcf11ce2bc98819560797b2bec8960e70afaf38979ebc106ad745aceed7b079e618547ac58

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansAdlam-Regular.ttf

Filesize
91KB

MD5
b0329c36c9ecf880e0cd488f55f1cc52

SHA1
6dd4397372c50052f8150826627f70424bff5b14

SHA256
4b51541536a7b28142a4571c16dc56e386c05f345ac9739ef8599d8ad4ed5e54

SHA512
333e405ea669de0cf1704be2fb5ba36571037af78440ff362569770214ef3ed1dd4c06b1b5cc0a2362c85c66876d090105369693b077552203a8d80c18614924

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBalinese-Regular.ttf

Filesize
90KB

MD5
01881a746a50919e34f507ab4930c566

SHA1
038e0d8b49222a83f007035629b5384709e04229

SHA256
cee58a184e7e00c4332087ac01870a69ac52fd5fa17ea3783ac728c945af1827

SHA512
ec5fe6139e4ecdb409c44a06462a3eda6b63505926602bfdc688d2aa3b8bbd6e4b570cf5e60bb505df0b62fac9ea6d52f84ff88ddf54079a2561faf7b0a959be

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBamum-Regular.ttf

Filesize
224KB

MD5
f0b22427c3ddce97435c84ce50239878

SHA1
a4a61de819c79dc743df4c5b152382f7e2e7168d

SHA256
0282610e6923d06a4d120cff3824e829b4535a8c4c57c07e11dbe73475541084

SHA512
ff2b22e58597d0ba19562c36f03cf83b5f327eee27f979c9ff84fe35a21b1fc9234f21fdb35fb95f933c79b9cf7760328d29b31480153da59a6576cf5f7f544e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBassaVah-Regular.ttf

Filesize
7KB

MD5
778376d22591a4a98bf83ac555ddf413

SHA1
608172ca18450b4cc61ff6cc155f66cff55c5bf9

SHA256
8218239377452e05634a91ee8a4338daf0aa96a15673a437533a098eb9c06f53

SHA512
e895a03374a3d3da04554cd048191722652ed4f1f7cc91639354843138ce26aea6c7f2da0ecda47eb76bcdd61a0315cc2e35e080a5953c24d82f4e94ce4aa260

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBatak-Regular.ttf

Filesize
21KB

MD5
e806a21fa414b8d5c6e6e93cad88979a

SHA1
b02a42f905ddb4706f9b603f5d57b5ab3b8f9d9d

SHA256
2ce9e91aa89c2aab44bb7bf944b0f445bd36f1a51ea21b7848e976182a541e00

SHA512
1c1d94d09a175ceaaef2a5820487f2753fbef1df2f073f7c53fb805aa769af6c7aec83b5c4d9acbbce2fe485670799facd5001e0040ac2d25ab3978993b1642e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBengali-Regular.ttf

Filesize
198KB

MD5
7b5138efef2c02dda9cfae9917cd913f

SHA1
b44b58f354c4a68e119df226f01ad763b2d1025c

SHA256
9f8b4dd091f19b111d24ea18daae81bea8684cc67de17ea1acd797e144bf20ba

SHA512
47e4cfd2218c91080fc4ccc3ac13dabe9efb7c96b981d53577177fb062973b9fad0052edcf2b0c663ff3b7a1d9e38e96586c93cb72618d64344b96e3df13204c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuginese-Regular.ttf

Filesize
7KB

MD5
bd4c30081a164037311e8712423c5bf2

SHA1
2a13bc7987ca34644b075c1fe197ba293b4ca527

SHA256
bc19f17d7f6e8f280c2cc95ef6d1b67fac25becfe98722f482039a4d84f3c9ba

SHA512
2a20d113b73cbca311d08dba40dcb7f8ab9d5383f7590b61b785070f77204db9ab163557a420c6c96ede815643f82ffdf75bc59b5802284779ff237616734c66

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuhid-Regular.ttf

Filesize
5KB

MD5
34699ac8824cdb6593b4dbef605dd6b2

SHA1
22ff82e35cbb1ac9053f767f404ee351786fe0c2

SHA256
328d80e11e7f65f9b6e4bac12de32b7ce42154301c2a14ba92155e32e05939d6

SHA512
fe714d5d44c6c2f4f96b4349bff301a67749bcb084ade3a0270723f1fa6bd6061193c4d782cb663d63e2c32cc809f33a8114e2e0bc6915de2b04efc82b5de673

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCanadianAboriginal-Regular.ttf

Filesize
172KB

MD5
a96dbfe42d1b33967feeb2bd1f5e36a2

SHA1
462e29c5f65663566784ccbe655de1668f8b7651

SHA256
6f489ba696faff1d96f8ace395c0d22fe3b82621f69bf50b337112fb47ff1f17

SHA512
793307c66cc1760d616bcfc2d2a486f7970f5126e7d6902384154b4619021d3686ba372ad8c21fde2d9b0849d5f6052c6b2050ada5f8debe64083502c282d85d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansChakma-Regular.ttf

Filesize
80KB

MD5
82f2c632a76dc9922cd85630d0c97db9

SHA1
4558e69543903a058b3d5a7b8f50a6dea8ea50f9

SHA256
60ce1d029e35b432dd68cc9f6c94f69bd84d8c97f28f06130186606dd2c3325d

SHA512
cbfe37179fa4bd8618eade5e5168dcfab9d784586319014692bcfc7f767187e4beee24b3afb471abdd9adde747eaf51648926ed1a790e9f8458152c283fb34e0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCham-Regular.ttf

Filesize
31KB

MD5
88cdc45929f90f1ae839c0ccce7d66f1

SHA1
087155fda8d4134161bbadcae8fc751b6c7a8ddc

SHA256
d48a34e02b4096eb3f2e008b74459789540598c2274d65fc53012517d0b08d92

SHA512
b43426cae9d747b5595a2dda99b9b5ac5258f3dc6b96c815998f5f68a4cbb14656a4f62004579732f08e7ab37a5a1b1c89577185af23a95e7004c0a89b65d25e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCherokee-Regular.ttf

Filesize
92KB

MD5
fd393a7c5b16eba60e38b72b5fa3a2dd

SHA1
d074eb1baea8caf869ba6aba69b9cc9b2fc4568f

SHA256
c052352137ae8d283840a0e2991a675d47859d8fdbae5726d373d4f0d97a8c87

SHA512
30d5c5f5069580186ded817621ad2c6eca338216680c288b249972d420f009fe94f77ef44b106355223a80ade7f9d851a6e6fe6417d2bbbb35b9f0182a1c9180

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCoptic-Regular.ttf

Filesize
47KB

MD5
c243288e787dc69784d8d45776290060

SHA1
a3958f295969e2505fa6a78e7b815f3299294eab

SHA256
e70bd535d7e6cdf2346eab36ea76441059b18ee14d3243e85240b5e65eb0ad45

SHA512
b52d644c4dbf9ee311de4ba0816b8babad95b83f6bf4027c19a2eb6fe7386159886a6777ca2bcef132e6002ac2d76b1bcb548c15a02939fdc2e1043f573e3798

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansDeseret-Regular.ttf

Filesize
19KB

MD5
c0d20faa4acd8b886197e897a6ddc7d4

SHA1
64355303ac0b639f0135bb51325b8aee780b11e4

SHA256
9f384e8a75a059b8efcbead73ef5aa3b504ac3e9d218be5368a20b19bfccdeec

SHA512
c7062651d7fdaae6168f65887f1a6d07b95b721efbe3d756f5a1fad58641f2b5fd1a3d732ae4225ee3228454ed1982c7258be70abb41ab9d8ed867915337192f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansDevanagari-Regular.ttf

Filesize
238KB

MD5
f4ae6809bd8c31573370e8da72514012

SHA1
e18b9aabbda0cc178436855ef8d04bce96533049

SHA256
306b53ecfb182a504dd8a7446093c316387d2fd8dc350d0792ed1753fe0996cd

SHA512
a53d78ecf6e9f095b1de336c648a0698891c61fdb0f5e97af8f968e5272232f3b7113e8758cd6149d46e226cd0240141ef05f03b9edcdbe0fffaf5d69fc99804

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansElbasan-Regular.ttf

Filesize
18KB

MD5
1c7297bc694bdb5baba7c1d39f333c63

SHA1
4de6449e4f8d315c91109a741ced09b86c3302c9

SHA256
6d52707e91a77e23f389f42b5da65d7047205e7833041fe0b2cd7ff280e14749

SHA512
91ba1203c4057c930ef08470395c91b03c2618f5decb9bbedd9b37f858a29c63e537c658bcae73fc32fa7e9e11911bba6d0fc540b16e180936c8082ef00f15ca

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansEthiopic-Regular.ttf

Filesize
367KB

MD5
de7cf6c6fa2fbc854dcf6d2e2716f1d1

SHA1
f07c1412adb1cc2d742546a25eb66ba63ee3c840

SHA256
f6f7fc379db9438959a2b0527e7a2cf36ea9c84626d56ec444fff37fc24c3c10

SHA512
ee98dc59d2fe843fbcad6eb2009ef865016478ef655dd2f873b4bc45c4e67908aac4b776c5846514d3f80aa4843d1426b797f2c385e7d3ce814d7d96386049b2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansGeorgian-Regular.ttf

Filesize
51KB

MD5
7d94a1c5f105c0c8b161d34b22371046

SHA1
251d004d967fff8ada4bfe1e20e9c2d9b689bf99

SHA256
d3e33254b09e7bb2c5cf0f17e554b80462056c5a107097f258d495168c3a9346

SHA512
44e7789735d338de10e34ac4a4a82fbb50d192ed29e38e5b5b33bd32967374f36b0e9b4690461157c3a762ee22aae129a1e6ac8f366f3f0a7eb1229bbf20caa3

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll

Filesize
979KB

MD5
55c84918eeba2162c8931c4bcca3ed6b

SHA1
538f4a7416b2bf2e2e7f6b7ce6e3ba2e958a281c

SHA256
475ba7306454eca8b469ee4e6b8b34492b0e8de66104695b6570ecb1d793f976

SHA512
8fbf04e461603dbb77dc06a1a6c01e083ca751dbfc9c9018bd877a9924138995065b2a54662cee32aa25e417dc526b29ef7c07cff680e43611602c22bac2a955

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\gkcodecs.dll

Filesize
10.0MB

MD5
7ca3bb0aeab55afaf9e9c9dc42fb7c86

SHA1
32025d63519be66fa0c83ae78d915104759581da

SHA256
7539103c203e166e99e662de38f1879573db28965d35d18119d2e4f13840b1f4

SHA512
d4f147eb4ea3f14de7eaa690b66501346596ec778585fe948bcd65516e60968057706b40326ac0d36355c6f3e6c5d8b1d0f9fba379f243205a766ad4ad2f449b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
493KB

MD5
2b8bda59d1f4d3ac4c3099dd5dcf1a74

SHA1
a984a13a7cd97849fec61c6ce02734becf5123a9

SHA256
eb4dec209ad9cdb392c66e507059a1c440c7b65554db39fe4e2e08569ef47dad

SHA512
62daa02577c780ecfe8662e1d4a15088903954e97f52dc0ab06b956c04869f26fb09830cb1ae6913f61955de0f4bc907427ae12d9a437ce2884c85b5ffa29676

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
327550b669b47c44fc1b02c6df2eaee9

SHA1
5065f975965fbfa4c95561089db15afa5cd483dd

SHA256
910e851009086ebc38098b2569e7863fa9327b4376fb1d95dfa9af12b4ffc6a6

SHA512
e635e93959b85628b17b51ffb13f23aa1484bf4adc5076eb77ddcdd586ab4dda94d26f47208b61a8511f3c8e73bc58021c9e72e6281ba66703554f55edc359d2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.6MB

MD5
cba336c08e2f22733af267bb07b9b38e

SHA1
607557d65b8e3594416e529bf27de372c679a79d

SHA256
dec976e7f6cc9940fa0337ac02eeeee270b3bd70e513702bda4f2f6159bfe6d2

SHA512
2f1440103914e5f1ae3a910aff4a290186cf3f552369fba9db96b1b7edab2ea39e5c94e4d972a5dd1ec30ac57af3d803531fc6dce21faf9c8353a0903c831b4f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll

Filesize
480KB

MD5
e41d527f15d42f8314955a1eefda4e01

SHA1
99c5f627d4c953a9d41a35250fe301439f062097

SHA256
183af1f9f4e3e75bfe8c26e64bcdd2860ec346301babdadf85a463ee85079486

SHA512
fc3acceab080fa6004c2dc9ded8f88fed450a1d33d392c510d3b4d45402384e1aea442453350cb55d3a0ecf92108f135bbd54de027d2689600b802f33afb12ce

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
18.5MB

MD5
8d3bc417e8056adda742a998e90f0359

SHA1
c44487b27992c8649082d9ae6843576be0450874

SHA256
d7349bd76bc7430bf9cb55b8291d47493d19f9691dca8b01eb27ba81e2a5a0ca

SHA512
b683aef5af955c50499869065bc1fca78e85b0c85f98c254657da50e32ca9e83f3aec9c6b7c0559fe613567664c8d5ea5444129fcdc841f1af0c4ba0e95067ed

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

Filesize
301KB

MD5
cbc0ffe0830727a969685f9effac365d

SHA1
c6a57ee7a98347e6244aefaf80267210ab918712

SHA256
ab180ca9bac868f7b5c93ca551aa70c966b852c23a390c64cc168d8ed8d75f20

SHA512
c180d26b0f7090078866f03ae0efd48da1cc23bd99f86799e5749184cfa296252aa3c671196a259541b0499116d33369e0a55e53399e9c6e1f1fdb704931df0b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk

Filesize
829B

MD5
f3db1e22f702de7894a4150af0d5216a

SHA1
3b61ae1d3fa2089a7743f11eb02093c0c97cc915

SHA256
e213e727a5c3a6768c89375d0a673f817bef41c0f661bd2fa66524798958a673

SHA512
7fd351a4669ace91aa78a3262ba95c9ec9bffb3e7598ede03ea57e3a998067b6ae16d85a9e3509dd185cd3f97f8d6cb6b6eeece5af140ea23b863766360ada98

Download Submit
C:\Users\Admin\Downloads\Bonzi.rIzOlLaP.zip.part

Filesize
49.8MB

MD5
65259c11e1ff8d040f9ec58524a47f02

SHA1
2d5a24f7cadd10140dd6d3dd0dc6d0f02c2d40fd

SHA256
755bd7f1fc6e93c3a69a1125dd74735895bdbac9b7cabad0506195a066bdde42

SHA512
37096eeb1ab0e11466c084a9ce78057e250f856b919cb9ef3920dad29b2bb2292daabbee15c64dc7bc2a48dd930a52a2fb9294943da2c1c3692863cec2bae03d

Download Submit
memory/2956-2297-0x00007FF92A210000-0x00007FF92A211000-memory.dmp

Filesize
4KB

Download
memory/2956-2298-0x00007FF928F10000-0x00007FF928F11000-memory.dmp

Filesize
4KB

Download
memory/4796-2341-0x00000213097E0000-0x00000213097F0000-memory.dmp

Filesize
64KB

Download
memory/4796-2484-0x0000021307620000-0x0000021307630000-memory.dmp

Filesize
64KB

Download
memory/4796-2534-0x0000021302530000-0x0000021302696000-memory.dmp

Filesize
1.4MB

Download