Resubmissions
25/03/2025, 16:06
250325-tkcb6syvbt 1025/03/2025, 15:51
250325-tagh5sytay 825/03/2025, 15:46
250325-s71slsskt5 825/03/2025, 00:18
250325-alyf9aytby 10Analysis
-
max time kernel
531s -
max time network
902s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/03/2025, 15:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/TheDarkMythos/windows-malware
Resource
win11-20250313-en
General
-
Target
https://github.com/TheDarkMythos/windows-malware
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 24 336 chrome.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Possible privilege escalation attempt 64 IoCs
pid Process 5284 icacls.exe 3920 takeown.exe 1796 icacls.exe 6088 takeown.exe 5420 icacls.exe 5632 Process not Found 5972 Process not Found 4088 Process not Found 1144 icacls.exe 2160 takeown.exe 5948 icacls.exe 5908 icacls.exe 5144 Process not Found 1780 Process not Found 5416 icacls.exe 4764 takeown.exe 5408 takeown.exe 2508 takeown.exe 5900 icacls.exe 4212 Process not Found 4184 Process not Found 5496 icacls.exe 2656 takeown.exe 5452 takeown.exe 5168 takeown.exe 3128 icacls.exe 2112 Process not Found 5200 Process not Found 956 Process not Found 5968 takeown.exe 5380 icacls.exe 2012 takeown.exe 5244 takeown.exe 5888 icacls.exe 5788 icacls.exe 4532 Process not Found 4388 Process not Found 5168 takeown.exe 5560 takeown.exe 5548 takeown.exe 4312 takeown.exe 5304 takeown.exe 2112 Process not Found 6084 takeown.exe 4996 takeown.exe 5204 icacls.exe 1168 takeown.exe 4208 takeown.exe 5332 takeown.exe 2856 icacls.exe 4996 icacls.exe 5616 icacls.exe 2548 icacls.exe 5380 takeown.exe 924 takeown.exe 276 takeown.exe 5292 Process not Found 5976 Process not Found 4064 Process not Found 5984 icacls.exe 5500 takeown.exe 1928 icacls.exe 3520 icacls.exe 5344 takeown.exe -
Executes dropped EXE 9 IoCs
pid Process 404 Bonzify.exe 4692 INSTALLER.exe 4152 AgentSvr.exe 2816 INSTALLER.exe 2748 AgentSvr.exe 5652 INSTALLER.exe 2992 AgentSvr.exe 5776 INSTALLER.exe 4132 AgentSvr.exe -
Loads dropped DLL 54 IoCs
pid Process 4692 INSTALLER.exe 5068 regsvr32.exe 3460 regsvr32.exe 4748 regsvr32.exe 2700 regsvr32.exe 1904 regsvr32.exe 932 regsvr32.exe 3548 regsvr32.exe 2816 INSTALLER.exe 3212 regsvr32.exe 3212 regsvr32.exe 2656 regsvr32.exe 404 Bonzify.exe 2748 AgentSvr.exe 2748 AgentSvr.exe 2748 AgentSvr.exe 1644 Bonzify.exe 5308 taskkill.exe 5652 INSTALLER.exe 5652 INSTALLER.exe 5168 regsvr32.exe 5168 regsvr32.exe 5200 regsvr32.exe 5200 regsvr32.exe 2992 regsvr32.exe 2992 regsvr32.exe 2256 regsvr32.exe 2256 regsvr32.exe 5428 regsvr32.exe 5428 regsvr32.exe 5784 regsvr32.exe 5784 regsvr32.exe 5540 regsvr32.exe 5540 regsvr32.exe 2992 AgentSvr.exe 5248 grpconv.exe 5776 INSTALLER.exe 5776 INSTALLER.exe 2548 regsvr32.exe 2548 regsvr32.exe 2548 regsvr32.exe 176 regsvr32.exe 176 regsvr32.exe 5468 grpconv.exe 4132 AgentSvr.exe 1644 Bonzify.exe 4132 AgentSvr.exe 4132 AgentSvr.exe 4132 AgentSvr.exe 5524 DllHost.exe 5464 Process not Found 5696 Process not Found 5228 Process not Found 4004 Process not Found -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 5132 icacls.exe 5676 icacls.exe 5144 icacls.exe 5324 takeown.exe 5524 Process not Found 4184 takeown.exe 5176 takeown.exe 1168 takeown.exe 5520 icacls.exe 5888 icacls.exe 6136 takeown.exe 4328 Process not Found 3796 Process not Found 5512 icacls.exe 2112 icacls.exe 5256 takeown.exe 5056 icacls.exe 2264 Process not Found 6128 Process not Found 5740 Process not Found 5768 Process not Found 5252 takeown.exe 6048 takeown.exe 5420 Process not Found 5628 Process not Found 5640 takeown.exe 5500 takeown.exe 5300 takeown.exe 5352 icacls.exe 4196 Process not Found 4576 Process not Found 5668 takeown.exe 5676 icacls.exe 4184 takeown.exe 4312 takeown.exe 5516 Process not Found 5208 icacls.exe 4612 icacls.exe 5948 icacls.exe 5700 takeown.exe 5304 icacls.exe 2112 takeown.exe 3404 Process not Found 412 Process not Found 5144 takeown.exe 4928 icacls.exe 5892 icacls.exe 6008 takeown.exe 1928 icacls.exe 5520 takeown.exe 6136 icacls.exe 6092 takeown.exe 440 takeown.exe 5648 icacls.exe 4764 icacls.exe 4444 icacls.exe 1892 icacls.exe 3520 takeown.exe 5668 icacls.exe 904 icacls.exe 5276 icacls.exe 5308 icacls.exe 5528 takeown.exe 5980 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" INSTALLER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" INSTALLER.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: chrome.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 raw.githubusercontent.com 24 raw.githubusercontent.com -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\SET3FBA.tmp INSTALLER.exe File opened for modification C:\Windows\SysWOW64\msvcp50.dll INSTALLER.exe File opened for modification C:\Windows\SysWOW64\SET3FBA.tmp INSTALLER.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\fonts\SET3FB8.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SET3FB9.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentMPx.dll INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tv_enua.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentMPx.dll INSTALLER.exe File created C:\Windows\msagent\SET3B57.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDp2.dll INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll INSTALLER.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDPv.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SETBEBB.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETBEBC.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SETBED0.tmp INSTALLER.exe File created C:\Windows\fonts\SETC207.tmp INSTALLER.exe File created C:\Windows\msagent\SET3B54.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentAnm.dll INSTALLER.exe File created C:\Windows\lhsp\tv\SET3F96.tmp INSTALLER.exe File created C:\Windows\lhsp\tv\SET3FB6.tmp INSTALLER.exe File opened for modification C:\Windows\INF\agtinst.inf INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SET3FB6.tmp INSTALLER.exe File created C:\Windows\msagent\SETBEE1.tmp INSTALLER.exe File created C:\Windows\msagent\SETBEE4.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SET3F96.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDp2.dll INSTALLER.exe File created C:\Windows\executables.bin Bonzify.exe File opened for modification C:\Windows\msagent\AgentCtl.dll INSTALLER.exe File created C:\Windows\lhsp\tv\SETC1F5.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tv_enua.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSvr.exe INSTALLER.exe File created C:\Windows\msagent\SET3B88.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll INSTALLER.exe File opened for modification C:\Windows\INF\tv_enua.inf INSTALLER.exe File opened for modification C:\Windows\msagent\mslwvtts.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentPsh.dll INSTALLER.exe File opened for modification C:\Windows\fonts\andmoipa.ttf INSTALLER.exe File created C:\Windows\msagent\SET3B50.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentCtl.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SETBECD.tmp INSTALLER.exe File created C:\Windows\msagent\SETBEBB.tmp INSTALLER.exe File created C:\Windows\msagent\SETBECE.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SETC1F5.tmp INSTALLER.exe File opened for modification C:\Windows\fonts\SETC207.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDPv.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SET3B57.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SETC205.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SETC208.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\mslwvtts.dll INSTALLER.exe File created C:\Windows\lhsp\help\SET3FB7.tmp INSTALLER.exe File created C:\Windows\msagent\chars\Bonzi.acs Bonzify.exe File created C:\Windows\msagent\SETBECD.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSR.dll INSTALLER.exe File opened for modification C:\Windows\help\Agt0409.hlp INSTALLER.exe File opened for modification C:\Windows\msagent\SET3B54.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET3B56.tmp INSTALLER.exe File created C:\Windows\INF\SET3B87.tmp INSTALLER.exe File created C:\Windows\lhsp\tv\SETC205.tmp INSTALLER.exe File created C:\Windows\help\SET3B89.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\help\SET3FB7.tmp INSTALLER.exe File created C:\Windows\msagent\intl\SETBEE3.tmp INSTALLER.exe File created C:\Windows\finalDestruction.bin Bonzify.exe File opened for modification C:\Windows\msagent\AgtCtl15.tlb INSTALLER.exe File opened for modification C:\Windows\msagent\SETBECE.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETBEBA.tmp INSTALLER.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier chrome.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
pid Process 5588 cmd.exe 5256 Process not Found -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Program crash 4 IoCs
pid pid_target Process procid_target 5696 1644 Process not Found 141 4004 1644 Process not Found 141 5380 5564 Process not Found 1884 1744 3432 Process not Found 1890 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5352 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003 chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe -
Kills process with taskkill 2 IoCs
pid Process 1616 taskkill.exe 5308 taskkill.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\cursors\\aero_working.ani" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Colors\InactiveBorder = "212 208 200" AgentSvr.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli" Bonzify.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Security\Sending_Security = "Medium" Bonzify.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\ReversedReadingType = "0x00000000" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\Phonetic.IsOfflineReading = "0x00000/00" Bonzify.exe Set value (int) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\MinimumHitRadius = "0" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\WallPaper = "C:\\Windows\\Web\\Wallpaper\\Windows\\img0.jpg" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies = "%USERPRPFILE%\\AppData\\Local\\Microsoft\\Windows\\INetCookies" Bonzify.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\netprofmsvc.dll,-208 = "Network Location Awareness" AgentSvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.BdeUnlock\appType = "app:system" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Notification.Proximity\ = "NFP Completion" AgentSvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\eapsvc.dll,-1 = "Extensible Authentication Protocol" Bonzify.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\Enabledv9 = "0" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\SystemHand\.Current\ = "%SystemRoot%\\media\\Windows Foreground.wav" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands\right = "z00000000-0000-0000-0000-000000000000}" Bonzify.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\windowsudkservices.shellcommon.dll,-100 = "Udk User Service" Bonzify.exe Set value (int) \REGISTRY\USER\S-1-5-19\Console\CursorSize = "25" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\Geo\Nation = "244" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\WindowsLogon\.Default\ = "%SystemRoot%\\media\\Windows Logon.wav" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-20\EUDC\949\SystemDefaultEUDCFont = "EUDC.TTE" AgentSvr.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873914833010222" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\Windows.SharedPC.AccountManager.dll,-100 = "Shared PC Account Manager" AgentSvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.LowDisk\appType = "app:system" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\BeepEnable = "0x00000001" AgentSvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1136229799-3442283115-138161576-1000\02cihkrvvmiltkuc\AppIdList = "{AFDA72BF-3409-413@-B54E-2AB8D66A7826};" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\FaxBeep\DispFileName = "@mmres.dll,-5858" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm9\.Current\ = "%SystemRoot%\\media\\Alarm09.wavÿ" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\CandidateSortType = "0x00000001" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Templates = "%USERPROEILE%\\AppData\\Roaming\\Microsoft\\Windows\\Templates" Bonzify.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\FontSmoothing = "2" AgentSvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\sMonDecimalSep = ".ÿ" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\sDecimal = "." AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Navigating\ = "Start Navigation" AgentSvr.exe Set value (int) \REGISTRY\USER\S-1-5-20\Console\PopupColors = "245" Bonzify.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Call5\ExcludeFromCPL = "1" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\WindowsLogon\ = "Windows Logon" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Reminder\.Default\ = "%SystemRont%\\media\\Windows Notify Calendar.wav" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\DragHeight = "4" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ThemeManager\PrePolicy-DllName = "C:\\Windows\\resources\\themes\\Aero\\Aero.msstyles" Bonzify.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\srpapi.dll,-100 = "AppID Driver" Bonzify.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\MessagingService.dll,-100 = "MessagingSesvice" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Colors\GradientActiveTitle = "185 209 235" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\BlockedPopup\DispFileName = "@ieframe.dll,-10325" Bonzify.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\Legacy.Eudp = "0x00000000" AgentSvr.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus\1\ = "148628" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.aca\ = "Agent.Character.2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7B93C92-7B81-11D0-AC5F-00C04FD97575}\ = "Microsoft Agent Server 1.5" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputPropertiesEx" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "932" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0300000004000000020000000000000001000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Version\ = "1.5" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5699" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1672" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1602" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\HELPDIR\ = "C:\\Windows\\msagent\\" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA141FD0-AC7F-11d1-97A3-0060082730FF}\InprocServer32\ = "C:\\Windows\\lhsp\\tv\\tv_enua.dll" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5719" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\3\NodeSlot = "7" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Sort = 0000000000000000000000000000000003000000901c6949177e1a10a91c08002b2ecda903000000ffffffff30f125b7ef471a10a5f102608c9eebac0e000000ffffffff30f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\ = "Microsoft Agent Control 1.5" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8097" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox" chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\ = "IAgentCtlCommandsWindow" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ = "IAgentEx" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\ = "0" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "952" SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0 AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{143A62C8-C33B-11D1-84FE-00C04FA34A14}\InprocServer32\ = "C:\\Windows\\msagent\\AgentPsh.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\.mov\VLC.backup = "WMP11.AssocFile.MOV" AgentSvr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\3 = 19002f463a5c000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\The Big Bang.iso:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier chrome.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2304 explorer.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 1724 chrome.exe 1724 chrome.exe 404 Bonzify.exe 404 Bonzify.exe 2304 explorer.exe 2304 explorer.exe 404 Bonzify.exe 404 Bonzify.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2304 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2748 AgentSvr.exe 2748 AgentSvr.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2748 AgentSvr.exe 2748 AgentSvr.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 404 Bonzify.exe 4692 INSTALLER.exe 4152 AgentSvr.exe 2816 INSTALLER.exe 2748 AgentSvr.exe 2304 explorer.exe 3460 SearchHost.exe 2700 StartMenuExperienceHost.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 2304 explorer.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe 3460 SearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 4556 2476 chrome.exe 81 PID 2476 wrote to memory of 4556 2476 chrome.exe 81 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 1300 2476 chrome.exe 82 PID 2476 wrote to memory of 336 2476 chrome.exe 83 PID 2476 wrote to memory of 336 2476 chrome.exe 83 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 PID 2476 wrote to memory of 4284 2476 chrome.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/TheDarkMythos/windows-malware1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xd8,0xe4,0x7ffd9b43dcf8,0x7ffd9b43dd04,0x7ffd9b43dd102⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1944 /prefetch:22⤵PID:1300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2232 /prefetch:112⤵
- Downloads MZ/PE file
PID:336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2512 /prefetch:132⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:2336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3148 /prefetch:12⤵PID:2900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4168,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4192 /prefetch:92⤵PID:3600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5128,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5140 /prefetch:142⤵PID:4640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5160,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5252 /prefetch:142⤵PID:4748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5132,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5460 /prefetch:142⤵PID:4872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5176,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5364 /prefetch:142⤵PID:2252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5424,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5848,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5868 /prefetch:142⤵
- NTFS ADS
PID:4240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6224,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5980 /prefetch:102⤵
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6352,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5796 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6316,i,11112349852073504812,16435625390725485505,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5552 /prefetch:142⤵PID:4080
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1600
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2968
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵PID:4244
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1616
-
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵PID:5056
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵PID:908
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4692 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:5068
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵
- Loads dropped DLL
PID:3460
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵
- Loads dropped DLL
PID:4748
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:2700
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:1904
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵
- Loads dropped DLL
PID:932
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:3548
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵PID:1404
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2816 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll3⤵
- Loads dropped DLL
PID:3212
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll3⤵
- Loads dropped DLL
PID:2656
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵PID:4372
-
-
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2748
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C41⤵PID:1172
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2304 -
\??\E:\Bonzify.exe"E:\Bonzify.exe"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"3⤵PID:5156
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe4⤵
- Loads dropped DLL
- Kills process with taskkill
PID:5308
-
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent4⤵PID:5460
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)4⤵PID:5548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵PID:5168
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5144
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵PID:5360
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵PID:5428
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)4⤵PID:5436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"3⤵PID:5456
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5524
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)4⤵PID:5596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"3⤵PID:5576
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5640
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)4⤵PID:5684
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5652 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:5168
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:5200
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:2992
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"4⤵
- Loads dropped DLL
PID:5428
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"4⤵
- Loads dropped DLL
PID:5784
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"4⤵
- Loads dropped DLL
PID:5540
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵
- Loads dropped DLL
PID:5248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"3⤵PID:5740
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"4⤵PID:2508
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe" /grant "everyone":(f)4⤵PID:5216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"3⤵PID:5548
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"4⤵PID:5820
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)4⤵PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"3⤵PID:5392
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"4⤵PID:1452
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)4⤵PID:5924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\bfsvc.exe"3⤵PID:4424
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\bfsvc.exe"4⤵PID:5204
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\bfsvc.exe" /grant "everyone":(f)4⤵PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵PID:5172
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵PID:5380
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" /grant "everyone":(f)4⤵PID:5428
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
PID:5776 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll4⤵
- Loads dropped DLL
- Modifies registry class
PID:2548
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll4⤵
- Loads dropped DLL
- Modifies registry class
PID:176
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Boot\PCAT\memtest.exe"3⤵PID:5608
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Boot\PCAT\memtest.exe"4⤵PID:5796
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Boot\PCAT\memtest.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BrowserCore\BrowserCore.exe"3⤵PID:2508
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\BrowserCore\BrowserCore.exe"4⤵PID:5172
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\BrowserCore\BrowserCore.exe" /grant "everyone":(f)4⤵PID:724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"3⤵PID:276
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\explorer.exe"4⤵PID:3864
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\explorer.exe" /grant "everyone":(f)4⤵PID:5412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\HelpPane.exe"4⤵PID:5980
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)4⤵PID:3784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"3⤵PID:5964
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\hh.exe"4⤵PID:6008
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\hh.exe" /grant "everyone":(f)4⤵PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"3⤵PID:2012
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"4⤵PID:5300
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"3⤵PID:3824
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"4⤵PID:4876
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)4⤵PID:2296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"3⤵PID:2392
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"4⤵PID:4424
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"3⤵PID:1928
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"4⤵PID:2548
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)4⤵PID:5704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"3⤵PID:5920
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"4⤵PID:4032
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)4⤵PID:5532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"3⤵PID:5876
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"4⤵PID:5592
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"3⤵PID:5368
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"4⤵PID:5460
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)4⤵PID:5456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"3⤵PID:1412
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5804
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"3⤵PID:5248
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"4⤵PID:5800
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)4⤵PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"3⤵PID:764
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"4⤵PID:5972
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe" /grant "everyone":(f)4⤵PID:5696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"3⤵PID:5648
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"4⤵PID:5712
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"4⤵PID:932
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe" /grant "everyone":(f)4⤵PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"4⤵PID:5776
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe" /grant "everyone":(f)4⤵PID:2888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵PID:3696
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵
- Modifies file permissions
PID:440
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)4⤵PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"3⤵PID:4092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵
- Possible privilege escalation attempt
PID:6084
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)4⤵PID:5480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"3⤵PID:3796
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"4⤵PID:4320
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)4⤵PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"3⤵PID:1852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5796
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"4⤵
- Modifies file permissions
PID:4184
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)4⤵PID:5272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"3⤵PID:4288
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"4⤵
- Possible privilege escalation attempt
PID:4996
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)4⤵PID:6100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"3⤵PID:3520
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"4⤵PID:5324
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)4⤵PID:5284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"3⤵PID:5316
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"4⤵
- Possible privilege escalation attempt
PID:3920
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)4⤵PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"3⤵PID:4588
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"4⤵PID:5344
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)4⤵PID:5352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵PID:5920
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵PID:5064
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵PID:5364
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5500
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"3⤵PID:5368
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"4⤵PID:176
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)4⤵PID:3200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"3⤵PID:5956
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"4⤵PID:5836
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)4⤵PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"3⤵PID:5628
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"4⤵PID:5696
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)4⤵PID:5212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"3⤵PID:2264
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"4⤵PID:6024
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)4⤵PID:5664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"3⤵PID:5648
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"4⤵PID:5892
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)4⤵PID:5908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"3⤵PID:5612
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"4⤵
- Possible privilege escalation attempt
PID:5968
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)4⤵PID:3804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵PID:968
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"4⤵PID:1804
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)4⤵PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵PID:5396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"4⤵
- Possible privilege escalation attempt
PID:2160
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"3⤵PID:6076
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"4⤵PID:6084
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)4⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"3⤵PID:4088
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"4⤵PID:3000
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"3⤵PID:1292
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)4⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"3⤵PID:5932
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"4⤵PID:4288
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:4612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵PID:5312
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"4⤵PID:2656
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)4⤵PID:5660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"3⤵PID:5760
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"4⤵
- Possible privilege escalation attempt
PID:1168
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)4⤵PID:5188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵PID:8
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"4⤵PID:4588
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"3⤵PID:5444
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"4⤵PID:5384
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)4⤵PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"3⤵PID:5524
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"4⤵PID:412
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)4⤵PID:5512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:5216
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:5368
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)4⤵PID:5492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:3440
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:5940
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)4⤵PID:5872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵PID:5836
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Possible privilege escalation attempt
PID:5168
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)4⤵PID:5848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"3⤵PID:5212
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5632
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)4⤵PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"3⤵PID:728
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"4⤵PID:4340
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"3⤵PID:5916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"4⤵PID:3804
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)4⤵PID:6132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"3⤵PID:5552
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"4⤵PID:6140
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"3⤵PID:3184
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"4⤵PID:4924
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)4⤵PID:5396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"3⤵PID:3696
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"4⤵PID:5252
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)4⤵PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"3⤵PID:1160
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"4⤵PID:5732
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)4⤵PID:5344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"3⤵PID:5508
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"4⤵PID:5256
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)4⤵PID:5724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"3⤵PID:5592
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"4⤵PID:5364
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)4⤵PID:5464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"3⤵PID:5452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"4⤵
- Possible privilege escalation attempt
PID:5560
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)4⤵PID:3200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"3⤵PID:4016
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"4⤵PID:448
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"4⤵PID:5928
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)4⤵PID:5684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"3⤵PID:764
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"4⤵PID:5688
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)4⤵PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"3⤵PID:5212
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"4⤵PID:5640
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"3⤵PID:5892
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"4⤵PID:5612
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:4928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"3⤵PID:5056
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵PID:968
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:2580
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:4388
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)4⤵PID:5912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"3⤵PID:2160
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"4⤵PID:276
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3888
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4760
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)4⤵PID:3248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:3100
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Modifies file permissions
PID:5300
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)4⤵PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵PID:5128
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)4⤵PID:5660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵PID:2880
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵PID:1928
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)4⤵PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"3⤵PID:2396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"4⤵PID:5864
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)4⤵PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"3⤵PID:5352
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"4⤵PID:5332
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)4⤵PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵PID:4040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5444
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵PID:5520
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵PID:5448
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:5488
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)4⤵PID:5140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"3⤵PID:5804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"4⤵PID:5428
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)4⤵PID:5952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵PID:5900
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5684
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)4⤵PID:5628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵PID:5820
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"4⤵PID:5972
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"3⤵PID:4196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"4⤵PID:5992
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)4⤵PID:5192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"3⤵PID:4708
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"4⤵PID:5172
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"3⤵PID:2256
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"4⤵PID:1908
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)4⤵PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵PID:5244
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"4⤵PID:4924
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)4⤵PID:724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵PID:5996
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:4068
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)4⤵PID:6048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:5424
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵PID:1852
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)4⤵PID:3888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"3⤵PID:4188
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵
- Modifies file permissions
PID:6008
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)4⤵PID:3100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4280
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)4⤵PID:5268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵PID:5508
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"4⤵PID:5388
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)4⤵PID:5944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"4⤵PID:3420
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)4⤵PID:6128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"3⤵PID:4188
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵PID:5968
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)4⤵PID:5904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:440
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:6080
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)4⤵PID:3128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:5996
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Modifies file permissions
PID:5176
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)4⤵PID:4184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"3⤵PID:3100
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"4⤵PID:5148
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"3⤵PID:5232
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"4⤵
- Modifies file permissions
PID:5252
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)4⤵PID:5564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:5516
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵PID:5736
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)4⤵PID:5920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"3⤵PID:5336
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"4⤵PID:5928
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)4⤵PID:5376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"3⤵PID:5520
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"4⤵PID:764
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)4⤵PID:5380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"3⤵PID:5940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5140
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"4⤵PID:448
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"3⤵PID:2008
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"4⤵
- Modifies file permissions
PID:5668
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)4⤵PID:5832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"4⤵PID:3804
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)4⤵PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"3⤵PID:5184
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4924
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)4⤵PID:5168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"3⤵PID:4820
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"4⤵PID:6104
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)4⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"3⤵PID:5288
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"4⤵PID:5172
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)4⤵PID:3552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"3⤵PID:5576
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"4⤵
- Possible privilege escalation attempt
PID:4208
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)4⤵PID:5068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"3⤵PID:1780
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"4⤵PID:6048
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)4⤵PID:5208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"3⤵PID:5480
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"4⤵
- Possible privilege escalation attempt
PID:6088
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)4⤵PID:3888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"3⤵PID:1892
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"4⤵
- Possible privilege escalation attempt
PID:4764
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)4⤵PID:5532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"3⤵PID:4032
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"4⤵
- Modifies file permissions
PID:1168
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)4⤵PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5864 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"4⤵PID:5584
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)4⤵PID:5276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"3⤵PID:5308
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"4⤵PID:5812
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"4⤵PID:5592
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"3⤵PID:5504
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"4⤵
- Modifies file permissions
PID:5520
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)4⤵PID:6116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"3⤵PID:1412
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"4⤵PID:5952
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)4⤵PID:5464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"3⤵PID:5940
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"4⤵PID:5632
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"3⤵PID:5980
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"4⤵PID:5588
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)4⤵PID:5988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"3⤵PID:2256
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"4⤵PID:5396
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)4⤵PID:5184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"3⤵PID:5628
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"4⤵PID:1860
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"3⤵PID:5972
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"4⤵PID:6108
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)4⤵PID:5288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"3⤵PID:5172
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"4⤵PID:5552
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)4⤵PID:5576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"3⤵PID:932
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"4⤵PID:5616
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)4⤵PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"3⤵PID:5644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"4⤵PID:5300
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)4⤵PID:5480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"3⤵PID:5296
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5548
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"3⤵PID:4760
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"4⤵PID:1408
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"3⤵PID:3520
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"4⤵PID:5276
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)4⤵PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"3⤵PID:5232
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"4⤵PID:5516
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"3⤵PID:5064
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"4⤵
- Possible privilege escalation attempt
PID:5452
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)4⤵PID:5376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"3⤵PID:5848
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"4⤵PID:5456
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"3⤵PID:5676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"4⤵PID:5464
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)4⤵PID:5544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"3⤵PID:448
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"4⤵PID:924
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)4⤵PID:5940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"3⤵PID:5888
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"4⤵PID:6136
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)4⤵PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"3⤵PID:5680
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"4⤵
- Possible privilege escalation attempt
PID:5168
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)4⤵PID:5696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"3⤵PID:6092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"4⤵
- Modifies file permissions
PID:5700
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)4⤵PID:6008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"3⤵PID:5360
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"4⤵PID:5992
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)4⤵PID:6024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"4⤵PID:5068
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)4⤵PID:5172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"3⤵PID:5132
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"4⤵PID:5208
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe" /grant "everyone":(f)4⤵PID:5616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"3⤵PID:4288
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"4⤵PID:3888
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)4⤵PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"3⤵PID:2160
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"4⤵
- Possible privilege escalation attempt
PID:5332
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)4⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"3⤵PID:5196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"4⤵PID:5608
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)4⤵PID:4760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"3⤵PID:5328
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"4⤵PID:5736
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)4⤵PID:3520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"3⤵PID:2992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"4⤵PID:2032
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)4⤵PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"3⤵PID:5812
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"4⤵PID:764
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)4⤵PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"3⤵PID:5656
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"4⤵PID:3440
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)4⤵PID:5716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"3⤵PID:5492
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"4⤵PID:5500
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"3⤵PID:5800
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"4⤵PID:2008
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)4⤵PID:448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"3⤵PID:5840
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵PID:5340
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"3⤵PID:5912
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"4⤵PID:5776
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)4⤵PID:5680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"3⤵PID:5280
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"4⤵PID:5304
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)4⤵PID:8
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"3⤵PID:4924
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"4⤵PID:6108
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"3⤵PID:3420
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"4⤵PID:5968
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)4⤵PID:5432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"3⤵PID:5868
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"4⤵PID:3128
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)4⤵PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"3⤵PID:5132
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"4⤵PID:6100
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"3⤵PID:3784
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"4⤵PID:5372
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)4⤵PID:5556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"3⤵PID:904
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"4⤵PID:5144
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /grant "everyone":(f)4⤵PID:5228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"3⤵PID:1952
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵
- Modifies file permissions
PID:3520
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)4⤵PID:4656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"3⤵PID:5276
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵PID:5928
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"3⤵PID:2992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵PID:5592
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)4⤵PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"3⤵PID:5684
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"4⤵PID:176
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /grant "everyone":(f)4⤵PID:5436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"3⤵PID:5656
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"4⤵PID:5676
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)4⤵PID:5428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"3⤵PID:4340
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"4⤵
- Modifies file permissions
PID:5528
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"3⤵PID:5248
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"4⤵PID:1908
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe" /grant "everyone":(f)4⤵PID:5980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"3⤵PID:5804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"4⤵PID:5924
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"3⤵PID:5524
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"4⤵
- Modifies file permissions
PID:6092
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)4⤵PID:5628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"3⤵PID:5700
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"4⤵PID:5360
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)4⤵PID:5712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"3⤵PID:6108
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"4⤵PID:2656
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)4⤵PID:5936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"3⤵PID:1756
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"4⤵PID:5916
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /grant "everyone":(f)4⤵PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"3⤵PID:4068
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"4⤵PID:440
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)4⤵PID:5644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\msagent\AgentSvr.exe"3⤵PID:5728
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\msagent\AgentSvr.exe"4⤵PID:2160
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\msagent\AgentSvr.exe" /grant "everyone":(f)4⤵PID:5296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\notepad.exe"3⤵PID:5148
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\notepad.exe"4⤵PID:4876
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\notepad.exe" /grant "everyone":(f)4⤵PID:5808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\PrintDialog\PrintDialog.exe"3⤵PID:904
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\PrintDialog\PrintDialog.exe"4⤵PID:4656
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\PrintDialog\PrintDialog.exe" /grant "everyone":(f)4⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\regedit.exe"3⤵PID:3176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\regedit.exe"4⤵PID:5308
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\regedit.exe" /grant "everyone":(f)4⤵PID:5344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.22000.348_none_e2c7a9ab59285812\f\LockApp.exe"3⤵PID:5536
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.22000.348_none_e2c7a9ab59285812\f\LockApp.exe"4⤵PID:5836
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.22000.348_none_e2c7a9ab59285812\f\LockApp.exe" /grant "everyone":(f)4⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpksetup.exe"3⤵PID:2992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpksetup.exe"4⤵PID:5348
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpksetup.exe" /grant "everyone":(f)4⤵PID:3248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpremove.exe"3⤵PID:5452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpremove.exe"4⤵PID:5852
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpremove.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.22000.434_none_38ca096a17805fa9\f\lsass.exe"3⤵PID:1452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.22000.434_none_38ca096a17805fa9\f\lsass.exe"4⤵PID:2508
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.22000.434_none_38ca096a17805fa9\f\lsass.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.22000.469_none_b104ba5249e06dec\f\FsIso.exe"3⤵PID:5596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5368
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.22000.469_none_b104ba5249e06dec\f\FsIso.exe"4⤵PID:924
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.22000.469_none_b104ba5249e06dec\f\FsIso.exe" /grant "everyone":(f)4⤵PID:5340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\SecureAssessmentBrowser.exe"3⤵PID:1908
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\SecureAssessmentBrowser.exe"4⤵PID:5832
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\SecureAssessmentBrowser.exe" /grant "everyone":(f)4⤵PID:5184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..pickerhost.appxmain_31bf3856ad364e35_10.0.22000.282_none_08c227a0c7c9c4c1\f\ModalSharePickerHost.exe"3⤵PID:5924
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..pickerhost.appxmain_31bf3856ad364e35_10.0.22000.282_none_08c227a0c7c9c4c1\f\ModalSharePickerHost.exe"4⤵
- Possible privilege escalation attempt
PID:2012
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..pickerhost.appxmain_31bf3856ad364e35_10.0.22000.282_none_08c227a0c7c9c4c1\f\ModalSharePickerHost.exe" /grant "everyone":(f)4⤵PID:5396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.22000.41_none_506d5972b4817c83\f\Magnify.exe"3⤵PID:5352
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.22000.41_none_506d5972b4817c83\f\Magnify.exe"4⤵PID:3920
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.22000.41_none_506d5972b4817c83\f\Magnify.exe" /grant "everyone":(f)4⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.22000.120_none_a6b2722d9eed2eed\f\fixmapi.exe"3⤵PID:5700
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.22000.120_none_a6b2722d9eed2eed\f\fixmapi.exe"4⤵PID:5316
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.22000.120_none_a6b2722d9eed2eed\f\fixmapi.exe" /grant "everyone":(f)4⤵PID:5192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.22000.469_none_403fa699a3654657\f\MDMAgent.exe"3⤵PID:3652
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.22000.469_none_403fa699a3654657\f\MDMAgent.exe"4⤵PID:5068
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.22000.469_none_403fa699a3654657\f\MDMAgent.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:3128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_10.0.22000.120_none_97c4601a91ef2a4b\f\mfpmp.exe"3⤵PID:5916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_10.0.22000.120_none_97c4601a91ef2a4b\f\mfpmp.exe"4⤵PID:4184
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_10.0.22000.120_none_97c4601a91ef2a4b\f\mfpmp.exe" /grant "everyone":(f)4⤵PID:6100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmpconfig.exe"3⤵PID:5480
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmpconfig.exe"4⤵PID:6084
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmpconfig.exe" /grant "everyone":(f)4⤵PID:5372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmplayer.exe"3⤵PID:2676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmplayer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5808
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmplayer.exe" /grant "everyone":(f)4⤵PID:5532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmpshare.exe"3⤵PID:4876
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmpshare.exe"4⤵PID:2396
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmpshare.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:3520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.22000.348_none_53ff6ed560767984\f\mighost.exe"3⤵PID:3116
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.22000.348_none_53ff6ed560767984\f\mighost.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2548
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.22000.348_none_53ff6ed560767984\f\mighost.exe" /grant "everyone":(f)4⤵PID:5736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.22000.71_none_bcb9c63bb991a4c6\f\msconfig.exe"3⤵PID:4444
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.22000.71_none_bcb9c63bb991a4c6\f\msconfig.exe"4⤵PID:5812
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.22000.71_none_bcb9c63bb991a4c6\f\msconfig.exe" /grant "everyone":(f)4⤵PID:5160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.22000.71_none_688486d306b27285\f\msinfo32.exe"3⤵PID:5536
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.22000.71_none_688486d306b27285\f\msinfo32.exe"4⤵
- Possible privilege escalation attempt
PID:5380
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.22000.71_none_688486d306b27285\f\msinfo32.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.22000.71_none_8e1bee8f157fdd6d\f\msinfo32.exe"3⤵PID:724
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.22000.71_none_8e1bee8f157fdd6d\f\msinfo32.exe"4⤵PID:5668
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.22000.71_none_8e1bee8f157fdd6d\f\msinfo32.exe" /grant "everyone":(f)4⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.22000.41_none_705d08ab0a6355da\f\mspaint.exe"3⤵PID:5484
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.22000.41_none_705d08ab0a6355da\f\mspaint.exe"4⤵PID:5980
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.22000.41_none_705d08ab0a6355da\f\mspaint.exe" /grant "everyone":(f)4⤵PID:5884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorQuickStart.exe"3⤵PID:6136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorQuickStart.exe"4⤵PID:5844
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorQuickStart.exe" /grant "everyone":(f)4⤵PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.22000.100_none_b998a9a728d6401f\f\Narrator.exe"3⤵PID:5292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5832
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.22000.100_none_b998a9a728d6401f\f\Narrator.exe"4⤵PID:5508
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.22000.100_none_b998a9a728d6401f\f\Narrator.exe" /grant "everyone":(f)4⤵PID:5524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.22000.120_none_eb1a21d23daf2030\f\NcsiUwpApp.exe"3⤵PID:6092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5924
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.22000.120_none_eb1a21d23daf2030\f\NcsiUwpApp.exe"4⤵
- Possible privilege escalation attempt
PID:5408
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-ncsiuwpapp.appxmain_31bf3856ad364e35_10.0.22000.120_none_eb1a21d23daf2030\f\NcsiUwpApp.exe" /grant "everyone":(f)4⤵PID:6024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.22000.434_none_823a5b3dd9c522d8\f\net1.exe"3⤵PID:5360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.22000.434_none_823a5b3dd9c522d8\f\net1.exe"4⤵PID:5936
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.22000.434_none_823a5b3dd9c522d8\f\net1.exe" /grant "everyone":(f)4⤵PID:6108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.22000.348_none_a83a13d7c7ca92d4\f\nfsclnt.exe"3⤵PID:5968
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.22000.348_none_a83a13d7c7ca92d4\f\nfsclnt.exe"4⤵PID:3864
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.22000.348_none_a83a13d7c7ca92d4\f\nfsclnt.exe" /grant "everyone":(f)4⤵PID:6080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.22000.120_none_285ae36df9fb90ad\f\OOBENetworkConnectionFlow.exe"3⤵PID:6140
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.22000.120_none_285ae36df9fb90ad\f\OOBENetworkConnectionFlow.exe"4⤵
- Possible privilege escalation attempt
PID:5244
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.22000.120_none_285ae36df9fb90ad\f\OOBENetworkConnectionFlow.exe" /grant "everyone":(f)4⤵PID:6100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..eminputhost-process_31bf3856ad364e35_10.0.22000.120_none_842c9d9e843cf6c7\f\ISM.exe"3⤵PID:5616
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..eminputhost-process_31bf3856ad364e35_10.0.22000.120_none_842c9d9e843cf6c7\f\ISM.exe"4⤵PID:1012
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..eminputhost-process_31bf3856ad364e35_10.0.22000.120_none_842c9d9e843cf6c7\f\ISM.exe" /grant "everyone":(f)4⤵PID:2160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.22000.120_none_3da444c93fbedacf\f\OOBENetworkCaptivePortal.exe"3⤵PID:5480
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.22000.120_none_3da444c93fbedacf\f\OOBENetworkCaptivePortal.exe"4⤵PID:5332
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.22000.120_none_3da444c93fbedacf\f\OOBENetworkCaptivePortal.exe" /grant "everyone":(f)4⤵PID:5228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-os-kernel-la57_31bf3856ad364e35_10.0.22000.493_none_47936afef938817b\f\ntkrla57.exe"3⤵PID:5196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-os-kernel-la57_31bf3856ad364e35_10.0.22000.493_none_47936afef938817b\f\ntkrla57.exe"4⤵PID:5608
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-os-kernel-la57_31bf3856ad364e35_10.0.22000.493_none_47936afef938817b\f\ntkrla57.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.22000.493_none_674ce99b39869941\f\ntoskrnl.exe"3⤵PID:4760
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.22000.493_none_674ce99b39869941\f\ntoskrnl.exe"4⤵
- Possible privilege escalation attempt
PID:5344
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.22000.493_none_674ce99b39869941\f\ntoskrnl.exe" /grant "everyone":(f)4⤵PID:5216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.22000.120_none_9ed34dd5b0c53507\f\WpcUapApp.exe"3⤵PID:3076
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.22000.120_none_9ed34dd5b0c53507\f\WpcUapApp.exe"4⤵PID:2032
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.22000.120_none_9ed34dd5b0c53507\f\WpcUapApp.exe" /grant "everyone":(f)4⤵PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.22000.194_none_d171c2327b4ef3a7\f\printui.exe"3⤵PID:1408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4444
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.22000.194_none_d171c2327b4ef3a7\f\printui.exe"4⤵PID:5240
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.22000.194_none_d171c2327b4ef3a7\f\printui.exe" /grant "everyone":(f)4⤵PID:4928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.22000.65_none_2d03a3ca59967a09\f\WpcMon.exe"3⤵PID:5820
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.22000.65_none_2d03a3ca59967a09\f\WpcMon.exe"4⤵PID:5428
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.22000.65_none_2d03a3ca59967a09\f\WpcMon.exe" /grant "everyone":(f)4⤵PID:5952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.22000.282_none_eb29ce0d02c88de7\f\ntprint.exe"3⤵PID:5848
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.22000.282_none_eb29ce0d02c88de7\f\ntprint.exe"4⤵
- Possible privilege escalation attempt
PID:2508
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.22000.282_none_eb29ce0d02c88de7\f\ntprint.exe" /grant "everyone":(f)4⤵PID:5772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\f\PeopleExperienceHost.exe"3⤵PID:176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1412
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\f\PeopleExperienceHost.exe"4⤵PID:5056
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\f\PeopleExperienceHost.exe" /grant "everyone":(f)4⤵PID:5884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.22000.282_none_85f8b97e4dbf9185\f\wpnpinst.exe"3⤵PID:5800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.22000.282_none_85f8b97e4dbf9185\f\wpnpinst.exe"4⤵PID:5752
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.22000.282_none_85f8b97e4dbf9185\f\wpnpinst.exe" /grant "everyone":(f)4⤵PID:5184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.22000.120_none_0f681b8c9b834caa\f\PinningConfirmationDialog.exe"3⤵PID:5340
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.22000.120_none_0f681b8c9b834caa\f\PinningConfirmationDialog.exe"4⤵PID:5944
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.22000.120_none_0f681b8c9b834caa\f\PinningConfirmationDialog.exe" /grant "everyone":(f)4⤵PID:5524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.22000.120_none_6698726619b2ab7a\f\PerceptionSimulationInput.exe"3⤵PID:5988
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.22000.120_none_6698726619b2ab7a\f\PerceptionSimulationInput.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6104
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.22000.120_none_6698726619b2ab7a\f\PerceptionSimulationInput.exe" /grant "everyone":(f)4⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_10.0.22000.120_none_e83cf4fa7871c56f\f\PkgMgr.exe"3⤵PID:5388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_10.0.22000.120_none_e83cf4fa7871c56f\f\PkgMgr.exe"4⤵PID:5404
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_10.0.22000.120_none_e83cf4fa7871c56f\f\PkgMgr.exe" /grant "everyone":(f)4⤵PID:6108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.22000.37_none_7461fc8593f740b9\f\ApproveChildRequest.exe"3⤵PID:5724
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.22000.37_none_7461fc8593f740b9\f\ApproveChildRequest.exe"4⤵PID:4480
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.22000.37_none_7461fc8593f740b9\f\ApproveChildRequest.exe" /grant "everyone":(f)4⤵PID:6080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.22000.434_none_4f4ac04322f04123\f\PktMon.exe"3⤵PID:5156
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.22000.434_none_4f4ac04322f04123\f\PktMon.exe"4⤵PID:4068
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-pktmon-setup_31bf3856ad364e35_10.0.22000.434_none_4f4ac04322f04123\f\PktMon.exe" /grant "everyone":(f)4⤵PID:440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.22000.376_none_d180c9ec46d962eb\f\splwow64.exe"3⤵PID:932
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.22000.376_none_d180c9ec46d962eb\f\splwow64.exe"4⤵PID:576
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.22000.376_none_d180c9ec46d962eb\f\splwow64.exe" /grant "everyone":(f)4⤵PID:5644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.22000.376_none_d180c9ec46d962eb\f\spoolsv.exe"3⤵PID:4388
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.22000.376_none_d180c9ec46d962eb\f\spoolsv.exe"4⤵PID:276
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.22000.376_none_d180c9ec46d962eb\f\spoolsv.exe" /grant "everyone":(f)4⤵PID:5808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.22000.65_none_99e34b544b7754a7\f\provtool.exe"3⤵PID:6084
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.22000.65_none_99e34b544b7754a7\f\provtool.exe"4⤵PID:1892
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.22000.65_none_99e34b544b7754a7\f\provtool.exe" /grant "everyone":(f)4⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.22000.282_none_f927204bf41f3d61\f\quickassist.exe"3⤵PID:5608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.22000.282_none_f927204bf41f3d61\f\quickassist.exe"4⤵PID:4092
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.22000.282_none_f927204bf41f3d61\f\quickassist.exe" /grant "everyone":(f)4⤵PID:5736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.22000.71_none_123327ab91644184\f\raserver.exe"3⤵PID:5216
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.22000.71_none_123327ab91644184\f\raserver.exe"4⤵PID:5512
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.22000.71_none_123327ab91644184\f\raserver.exe" /grant "everyone":(f)4⤵PID:5704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.22000.132_none_23ef129810e14356\f\RecoveryDrive.exe"3⤵PID:5064
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.22000.132_none_23ef129810e14356\f\RecoveryDrive.exe"4⤵PID:6132
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.22000.132_none_23ef129810e14356\f\RecoveryDrive.exe" /grant "everyone":(f)4⤵PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-refsutil_31bf3856ad364e35_10.0.22000.434_none_e6157b76b496d682\f\refsutil.exe"3⤵PID:5448
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-refsutil_31bf3856ad364e35_10.0.22000.434_none_e6157b76b496d682\f\refsutil.exe"4⤵PID:2992
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-refsutil_31bf3856ad364e35_10.0.22000.434_none_e6157b76b496d682\f\refsutil.exe" /grant "everyone":(f)4⤵PID:5436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_32bd480a87134e0f\f\msra.exe"3⤵PID:5492
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_32bd480a87134e0f\f\msra.exe"4⤵PID:5536
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_32bd480a87134e0f\f\msra.exe" /grant "everyone":(f)4⤵PID:5364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_32bd480a87134e0f\f\sdchange.exe"3⤵PID:5624
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_32bd480a87134e0f\f\sdchange.exe"4⤵PID:724
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_32bd480a87134e0f\f\sdchange.exe" /grant "everyone":(f)4⤵PID:5424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.22000.469_none_c24a28fb71aa07c9\f\Robocopy.exe"3⤵PID:448
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.22000.469_none_c24a28fb71aa07c9\f\Robocopy.exe"4⤵PID:5900
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.22000.469_none_c24a28fb71aa07c9\f\Robocopy.exe" /grant "everyone":(f)4⤵PID:924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-runas_31bf3856ad364e35_10.0.22000.434_none_5b46b110e29f5b31\f\runas.exe"3⤵
- Access Token Manipulation: Create Process with Token
PID:5588 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2256
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-runas_31bf3856ad364e35_10.0.22000.434_none_5b46b110e29f5b31\f\runas.exe"4⤵PID:5168
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-runas_31bf3856ad364e35_10.0.22000.434_none_5b46b110e29f5b31\f\runas.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.22000.120_none_f07c0067839c600d\f\RMActivate_ssp_isv.exe"3⤵PID:5680
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.22000.120_none_f07c0067839c600d\f\RMActivate_ssp_isv.exe"4⤵PID:5628
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.22000.120_none_f07c0067839c600d\f\RMActivate_ssp_isv.exe" /grant "everyone":(f)4⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.22000.469_none_40856ba085a100c4\f\BioIso.exe"3⤵PID:5880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.22000.469_none_40856ba085a100c4\f\BioIso.exe"4⤵PID:5648
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.22000.469_none_40856ba085a100c4\f\BioIso.exe" /grant "everyone":(f)4⤵PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.22000.51_none_2158495b1874d95c\f\services.exe"3⤵PID:5908
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.22000.51_none_2158495b1874d95c\f\services.exe"4⤵PID:5192
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.22000.51_none_2158495b1874d95c\f\services.exe" /grant "everyone":(f)4⤵PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.22000.194_none_ecba39f8d9cbe846\f\bdechangepin.exe"3⤵PID:5468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5936
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.22000.194_none_ecba39f8d9cbe846\f\bdechangepin.exe"4⤵PID:1804
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.22000.194_none_ecba39f8d9cbe846\f\bdechangepin.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.22000.100_none_1c26ef58a3003bf2\f\SystemSettingsAdminFlows.exe"3⤵PID:5156
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.22000.100_none_1c26ef58a3003bf2\f\SystemSettingsAdminFlows.exe"4⤵PID:2820
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.22000.100_none_1c26ef58a3003bf2\f\SystemSettingsAdminFlows.exe" /grant "everyone":(f)4⤵PID:4288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.22000.469_none_e574fa2e821169ac\f\SystemSettingsBroker.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.22000.469_none_e574fa2e821169ac\f\SystemSettingsBroker.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4608
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.22000.469_none_e574fa2e821169ac\f\SystemSettingsBroker.exe" /grant "everyone":(f)4⤵PID:5552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_e4b70edd74d735f3\f\RMActivate_isv.exe"3⤵PID:5480
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1144
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_e4b70edd74d735f3\f\RMActivate_isv.exe"4⤵PID:5984
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_e4b70edd74d735f3\f\RMActivate_isv.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.22000.41_none_1d0a15319901359b\f\PinEnrollmentBroker.exe"3⤵PID:3116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.22000.41_none_1d0a15319901359b\f\PinEnrollmentBroker.exe"4⤵PID:5872
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.22000.41_none_1d0a15319901359b\f\PinEnrollmentBroker.exe" /grant "everyone":(f)4⤵PID:3696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.22000.469_none_5704c6175ad01b79\f\Microsoft.AAD.BrokerPlugin.exe"3⤵PID:5512
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.22000.469_none_5704c6175ad01b79\f\Microsoft.AAD.BrokerPlugin.exe"4⤵PID:1692
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.22000.469_none_5704c6175ad01b79\f\Microsoft.AAD.BrokerPlugin.exe" /grant "everyone":(f)4⤵PID:4588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.22000.120_none_6b23f06ce93f4f52\f\RMActivate_ssp.exe"3⤵PID:5656
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.22000.120_none_6b23f06ce93f4f52\f\RMActivate_ssp.exe"4⤵PID:5448
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.22000.120_none_6b23f06ce93f4f52\f\RMActivate_ssp.exe" /grant "everyone":(f)4⤵PID:5240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..platform-media-base_31bf3856ad364e35_10.0.22000.376_none_d0bc762eaa58a5f0\f\diagtrackrunner.exe"3⤵PID:5224
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..platform-media-base_31bf3856ad364e35_10.0.22000.376_none_d0bc762eaa58a5f0\f\diagtrackrunner.exe"4⤵PID:5536
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..platform-media-base_31bf3856ad364e35_10.0.22000.376_none_d0bc762eaa58a5f0\f\diagtrackrunner.exe" /grant "everyone":(f)4⤵PID:5652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..platform-media-base_31bf3856ad364e35_10.0.22000.376_none_d0bc762eaa58a5f0\f\SetupPlatform.exe"3⤵PID:5504
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..platform-media-base_31bf3856ad364e35_10.0.22000.376_none_d0bc762eaa58a5f0\f\SetupPlatform.exe"4⤵PID:5960
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..platform-media-base_31bf3856ad364e35_10.0.22000.376_none_d0bc762eaa58a5f0\f\SetupPlatform.exe" /grant "everyone":(f)4⤵PID:5684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_f6a11a34378fa70f\f\StartMenuExperienceHost.exe"3⤵PID:176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_f6a11a34378fa70f\f\StartMenuExperienceHost.exe"4⤵
- Modifies file permissions
PID:5980
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_f6a11a34378fa70f\f\StartMenuExperienceHost.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
PID:5900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.22000.132_none_f836cc528422524b\f\ShellExperienceHost.exe"3⤵PID:5304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5168
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.22000.132_none_f836cc528422524b\f\ShellExperienceHost.exe"4⤵
- Modifies file permissions
PID:6136
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.22000.132_none_f836cc528422524b\f\ShellExperienceHost.exe" /grant "everyone":(f)4⤵PID:5408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..rity-spp-validation_31bf3856ad364e35_10.0.22000.176_none_161fead9a85c45cd\f\GenValObj.exe"3⤵PID:5524
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..rity-spp-validation_31bf3856ad364e35_10.0.22000.176_none_161fead9a85c45cd\f\GenValObj.exe"4⤵PID:2356
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..rity-spp-validation_31bf3856ad364e35_10.0.22000.176_none_161fead9a85c45cd\f\GenValObj.exe" /grant "everyone":(f)4⤵PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..sktop.appxmain.root_31bf3856ad364e35_10.0.22000.120_none_c4a02f7c0324c157\f\SearchApp.exe"3⤵PID:5404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..sktop.appxmain.root_31bf3856ad364e35_10.0.22000.120_none_c4a02f7c0324c157\f\SearchApp.exe"4⤵PID:3888
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..sktop.appxmain.root_31bf3856ad364e35_10.0.22000.120_none_c4a02f7c0324c157\f\SearchApp.exe" /grant "everyone":(f)4⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_10.0.22000.120_none_9c5aa041b6a59db2\f\RMActivate.exe"3⤵PID:4208
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_10.0.22000.120_none_9c5aa041b6a59db2\f\RMActivate.exe"4⤵PID:5904
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_10.0.22000.120_none_9c5aa041b6a59db2\f\RMActivate.exe" /grant "everyone":(f)4⤵PID:6044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.22000.194_none_4385d5a885bc9a36\f\cscript.exe"3⤵PID:1012
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.22000.194_none_4385d5a885bc9a36\f\cscript.exe"4⤵PID:4184
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.22000.194_none_4385d5a885bc9a36\f\cscript.exe" /grant "everyone":(f)4⤵PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.22000.194_none_4385d5a885bc9a36\f\wscript.exe"3⤵PID:5332
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.22000.194_none_4385d5a885bc9a36\f\wscript.exe"4⤵PID:412
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.22000.194_none_4385d5a885bc9a36\f\wscript.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.22000.41_none_46e53612c0e92204\f\BdeUISrv.exe"3⤵PID:5872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5704
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.22000.41_none_46e53612c0e92204\f\BdeUISrv.exe"4⤵PID:2396
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.22000.41_none_46e53612c0e92204\f\BdeUISrv.exe" /grant "everyone":(f)4⤵PID:5928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.22000.434_none_dff7d1ca03eba43a\f\LsaIso.exe"3⤵PID:5200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.22000.434_none_dff7d1ca03eba43a\f\LsaIso.exe"4⤵PID:2992
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.22000.434_none_dff7d1ca03eba43a\f\LsaIso.exe" /grant "everyone":(f)4⤵PID:5892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.22000.318_none_065139dac533d14e\f\SppExtComObj.Exe"3⤵PID:2008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5492
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.22000.318_none_065139dac533d14e\f\SppExtComObj.Exe"4⤵PID:5636
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.22000.318_none_065139dac533d14e\f\SppExtComObj.Exe" /grant "everyone":(f)4⤵PID:724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.22000.348_none_571935de2408ae28\f\slui.exe"3⤵PID:5960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.22000.348_none_571935de2408ae28\f\slui.exe"4⤵PID:3184
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.22000.348_none_571935de2408ae28\f\slui.exe" /grant "everyone":(f)4⤵PID:5288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.22000.493_none_157ddf72a65679bf\f\sppsvc.exe"3⤵PID:5940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5800
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.22000.493_none_157ddf72a65679bf\f\sppsvc.exe"4⤵PID:4412
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.22000.493_none_157ddf72a65679bf\f\sppsvc.exe" /grant "everyone":(f)4⤵PID:5280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.22000.282_none_9ed8cb052ff869e6\f\TokenBrokerCookies.exe"3⤵PID:5560
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.22000.282_none_9ed8cb052ff869e6\f\TokenBrokerCookies.exe"4⤵
- Modifies file permissions
PID:4184
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.22000.282_none_9ed8cb052ff869e6\f\TokenBrokerCookies.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.22000.282_none_3c5af3814be830ab\f\klist.exe"3⤵PID:5176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.22000.282_none_3c5af3814be830ab\f\klist.exe"4⤵PID:3520
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.22000.282_none_3c5af3814be830ab\f\klist.exe" /grant "everyone":(f)4⤵PID:5324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-ksetup_31bf3856ad364e35_10.0.22000.434_none_17cb2e5ad35a58c9\f\ksetup.exe"3⤵PID:2548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5344
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-ksetup_31bf3856ad364e35_10.0.22000.434_none_17cb2e5ad35a58c9\f\ksetup.exe"4⤵PID:5336
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-ksetup_31bf3856ad364e35_10.0.22000.434_none_17cb2e5ad35a58c9\f\ksetup.exe" /grant "everyone":(f)4⤵PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.22000.434_none_95bd8d59818abcd7\f\nltest.exe"3⤵PID:5736
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.22000.434_none_95bd8d59818abcd7\f\nltest.exe"4⤵PID:1692
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.22000.434_none_95bd8d59818abcd7\f\nltest.exe" /grant "everyone":(f)4⤵PID:6116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\audit.exe"3⤵PID:5632
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\audit.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5416
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\audit.exe" /grant "everyone":(f)4⤵PID:5792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\AuditShD.exe"3⤵PID:5364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2508
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\AuditShD.exe"4⤵PID:1796
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\AuditShD.exe" /grant "everyone":(f)4⤵PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\Setup.exe"3⤵PID:176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\Setup.exe"4⤵PID:5612
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\Setup.exe" /grant "everyone":(f)4⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup360-media-base_31bf3856ad364e35_10.0.22000.469_none_259c259bf9e2d267\f\SetupHost.exe"3⤵PID:4252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5956
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup360-media-base_31bf3856ad364e35_10.0.22000.469_none_259c259bf9e2d267\f\SetupHost.exe"4⤵PID:2708
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup360-media-base_31bf3856ad364e35_10.0.22000.469_none_259c259bf9e2d267\f\SetupHost.exe" /grant "everyone":(f)4⤵PID:5292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup360-media-base_31bf3856ad364e35_10.0.22000.469_none_259c259bf9e2d267\f\SetupPrep.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup360-media-base_31bf3856ad364e35_10.0.22000.469_none_259c259bf9e2d267\f\SetupPrep.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4420
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setup360-media-base_31bf3856ad364e35_10.0.22000.469_none_259c259bf9e2d267\f\SetupPrep.exe" /grant "everyone":(f)4⤵PID:5808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.22000.469_none_3038532b4b83a565\f\wowreg32.exe"3⤵PID:5068
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.22000.469_none_3038532b4b83a565\f\wowreg32.exe"4⤵PID:5904
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.22000.469_none_3038532b4b83a565\f\wowreg32.exe" /grant "everyone":(f)4⤵PID:4208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.22000.469_none_83da02152447c976\f\CustomShellHost.exe"3⤵PID:5784
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.22000.469_none_83da02152447c976\f\CustomShellHost.exe"4⤵
- Modifies file permissions
PID:5324
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.22000.469_none_83da02152447c976\f\CustomShellHost.exe" /grant "everyone":(f)4⤵PID:5308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.22000.318_none_ed2b4c25cc173a5f\n\EM.exe"3⤵PID:5480
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.22000.318_none_ed2b4c25cc173a5f\n\EM.exe"4⤵PID:5064
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.22000.318_none_ed2b4c25cc173a5f\n\EM.exe" /grant "everyone":(f)4⤵PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.22000.469_none_0defc0f5807dd5f0\f\ShellAppRuntime.exe"3⤵PID:5872
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.22000.469_none_0defc0f5807dd5f0\f\ShellAppRuntime.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5952
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.22000.469_none_0defc0f5807dd5f0\f\ShellAppRuntime.exe" /grant "everyone":(f)4⤵PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.22000.65_none_9f7612893c144c09\f\smartscreen.exe"3⤵PID:5428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5240
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.22000.65_none_9f7612893c144c09\f\smartscreen.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5652
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.22000.65_none_9f7612893c144c09\f\smartscreen.exe" /grant "everyone":(f)4⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.22000.65_none_5df9e0d1a9b3658b\f\Spectrum.exe"3⤵PID:724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5528
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.22000.65_none_5df9e0d1a9b3658b\f\Spectrum.exe"4⤵
- Possible privilege escalation attempt
PID:924
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.22000.65_none_5df9e0d1a9b3658b\f\Spectrum.exe" /grant "everyone":(f)4⤵PID:5536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.22000.348_none_8c1cd5f65f938380\f\DataStoreCacheDumpTool.exe"3⤵PID:5248
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.22000.348_none_8c1cd5f65f938380\f\DataStoreCacheDumpTool.exe"4⤵PID:5340
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.22000.348_none_8c1cd5f65f938380\f\DataStoreCacheDumpTool.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\ResetEngine.exe"3⤵PID:5648
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\ResetEngine.exe"4⤵PID:5868
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\ResetEngine.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\ResetPluginHost.exe"3⤵PID:5172
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\ResetPluginHost.exe"4⤵PID:2160
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\ResetPluginHost.exe" /grant "everyone":(f)4⤵PID:932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\sysreset.exe"3⤵PID:5532
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\sysreset.exe"4⤵PID:5300
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\sysreset.exe" /grant "everyone":(f)4⤵PID:5400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\ResetEngine.exe"3⤵PID:3864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3652
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\ResetEngine.exe"4⤵
- Modifies file permissions
PID:6048
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\ResetEngine.exe" /grant "everyone":(f)4⤵PID:504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\SysResetErr.exe"3⤵PID:1852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5156
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\SysResetErr.exe"4⤵
- Possible privilege escalation attempt
PID:276
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\SysResetErr.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\systemreset.exe"3⤵PID:5176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\systemreset.exe"4⤵PID:1160
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\f\systemreset.exe" /grant "everyone":(f)4⤵PID:3100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..-remoteapplications_31bf3856ad364e35_10.0.22000.282_none_3d368ddb21bde8c7\f\rdpinit.exe"3⤵PID:5276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..-remoteapplications_31bf3856ad364e35_10.0.22000.282_none_3d368ddb21bde8c7\f\rdpinit.exe"4⤵PID:6032
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..-remoteapplications_31bf3856ad364e35_10.0.22000.282_none_3d368ddb21bde8c7\f\rdpinit.exe" /grant "everyone":(f)4⤵PID:5512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..-remoteapplications_31bf3856ad364e35_10.0.22000.282_none_3d368ddb21bde8c7\f\rdpshell.exe"3⤵PID:5216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:764
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..-remoteapplications_31bf3856ad364e35_10.0.22000.282_none_3d368ddb21bde8c7\f\rdpshell.exe"4⤵PID:3440
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..-remoteapplications_31bf3856ad364e35_10.0.22000.282_none_3d368ddb21bde8c7\f\rdpshell.exe" /grant "everyone":(f)4⤵PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.22000.282_none_8a68951ea6251dba\f\wkspbroker.exe"3⤵PID:5200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.22000.282_none_8a68951ea6251dba\f\wkspbroker.exe"4⤵PID:5544
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.22000.282_none_8a68951ea6251dba\f\wkspbroker.exe" /grant "everyone":(f)4⤵PID:5460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.22000.282_none_1a017429cb7fea2c\f\rdpinit.exe"3⤵PID:5876
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.22000.282_none_1a017429cb7fea2c\f\rdpinit.exe"4⤵PID:5776
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.22000.282_none_1a017429cb7fea2c\f\rdpinit.exe" /grant "everyone":(f)4⤵PID:5752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.22000.282_none_1a017429cb7fea2c\f\rdpshell.exe"3⤵PID:2008
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.22000.282_none_1a017429cb7fea2c\f\rdpshell.exe"4⤵PID:5944
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.22000.282_none_1a017429cb7fea2c\f\rdpshell.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.22000.376_none_fd0b376d9072c88a\f\rdpclip.exe"3⤵PID:924
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.22000.376_none_fd0b376d9072c88a\f\rdpclip.exe"4⤵PID:5484
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.22000.376_none_fd0b376d9072c88a\f\rdpclip.exe" /grant "everyone":(f)4⤵PID:5688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.22000.282_none_305eac6918e57702\f\rdpsign.exe"3⤵PID:3020
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.22000.282_none_305eac6918e57702\f\rdpsign.exe"4⤵
- Modifies file permissions
PID:5256
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.22000.282_none_305eac6918e57702\f\rdpsign.exe" /grant "everyone":(f)4⤵PID:728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.22000.282_none_4902a165a673e741\f\mstsc.exe"3⤵PID:5248
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.22000.282_none_4902a165a673e741\f\mstsc.exe"4⤵PID:3552
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.22000.282_none_4902a165a673e741\f\mstsc.exe" /grant "everyone":(f)4⤵PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.22000.120_none_b61f094deaec819e\f\RdpSaUacHelper.exe"3⤵PID:3796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4924
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.22000.120_none_b61f094deaec819e\f\RdpSaUacHelper.exe"4⤵PID:4196
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.22000.120_none_b61f094deaec819e\f\RdpSaUacHelper.exe" /grant "everyone":(f)4⤵PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.22000.65_none_f3a35be8937453f0\f\TabTip.exe"3⤵PID:4776
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.22000.65_none_f3a35be8937453f0\f\TabTip.exe"4⤵
- Possible privilege escalation attempt
PID:5548
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.22000.65_none_f3a35be8937453f0\f\TabTip.exe" /grant "everyone":(f)4⤵PID:2160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tpm-diagnostics_31bf3856ad364e35_10.0.22000.469_none_3fa2439425626f6e\f\TpmDiagnostics.exe"3⤵PID:2296
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tpm-diagnostics_31bf3856ad364e35_10.0.22000.469_none_3fa2439425626f6e\f\TpmDiagnostics.exe"4⤵PID:4288
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tpm-diagnostics_31bf3856ad364e35_10.0.22000.469_none_3fa2439425626f6e\f\TpmDiagnostics.exe" /grant "everyone":(f)4⤵PID:5724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.22000.282_none_f9601eae71d90785\f\TpmTool.exe"3⤵PID:4088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5576
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.22000.282_none_f9601eae71d90785\f\TpmTool.exe"4⤵PID:6096
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.22000.282_none_f9601eae71d90785\f\TpmTool.exe" /grant "everyone":(f)4⤵PID:5132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.22000.469_none_8c502cfed26c810b\f\TrustedInstaller.exe"3⤵PID:5616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1892
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.22000.469_none_8c502cfed26c810b\f\TrustedInstaller.exe"4⤵PID:5780
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.22000.469_none_8c502cfed26c810b\f\TrustedInstaller.exe" /grant "everyone":(f)4⤵PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-twinui_31bf3856ad364e35_10.0.22000.493_none_6ec3ffab3ec4b07b\f\LaunchWinApp.exe"3⤵PID:1852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-twinui_31bf3856ad364e35_10.0.22000.493_none_6ec3ffab3ec4b07b\f\LaunchWinApp.exe"4⤵PID:1160
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-twinui_31bf3856ad364e35_10.0.22000.493_none_6ec3ffab3ec4b07b\f\LaunchWinApp.exe" /grant "everyone":(f)4⤵PID:3100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..-client-aggregators_31bf3856ad364e35_10.0.22000.318_none_701008567a383b30\f\AggregatorHost.exe"3⤵PID:5784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..-client-aggregators_31bf3856ad364e35_10.0.22000.318_none_701008567a383b30\f\AggregatorHost.exe"4⤵PID:3200
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..-client-aggregators_31bf3856ad364e35_10.0.22000.318_none_701008567a383b30\f\AggregatorHost.exe" /grant "everyone":(f)4⤵PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.22000.318_none_1e08617dd1895eb7\f\UtcDecoderHost.exe"3⤵PID:3552
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.22000.318_none_1e08617dd1895eb7\f\UtcDecoderHost.exe"4⤵PID:2392
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.22000.318_none_1e08617dd1895eb7\f\UtcDecoderHost.exe" /grant "everyone":(f)4⤵PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.22000.318_none_9b6af6ae8c0ac6cb\f\dtdump.exe"3⤵PID:4196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.22000.318_none_9b6af6ae8c0ac6cb\f\dtdump.exe"4⤵PID:5172
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.22000.318_none_9b6af6ae8c0ac6cb\f\dtdump.exe" /grant "everyone":(f)4⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.22000.318_none_9b6af6ae8c0ac6cb\f\runexehelper.exe"3⤵PID:5548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5916
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.22000.318_none_9b6af6ae8c0ac6cb\f\runexehelper.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4312
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.22000.318_none_9b6af6ae8c0ac6cb\f\runexehelper.exe" /grant "everyone":(f)4⤵PID:5244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..monotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_618940d4a376d501\f\MoNotificationUx.exe"3⤵PID:5400
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..monotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_618940d4a376d501\f\MoNotificationUx.exe"4⤵PID:3864
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..monotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_618940d4a376d501\f\MoNotificationUx.exe" /grant "everyone":(f)4⤵PID:5132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..snotificationbroker_31bf3856ad364e35_10.0.22000.37_none_46638c67a45b1942\f\MusNotification.exe"3⤵PID:5904
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..snotificationbroker_31bf3856ad364e35_10.0.22000.37_none_46638c67a45b1942\f\MusNotification.exe"4⤵PID:5812
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..snotificationbroker_31bf3856ad364e35_10.0.22000.37_none_46638c67a45b1942\f\MusNotification.exe" /grant "everyone":(f)4⤵PID:5780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.22000.282_none_345ca27cf9ce36c0\f\MusNotifyIcon.exe"3⤵PID:4328
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.22000.282_none_345ca27cf9ce36c0\f\MusNotifyIcon.exe"4⤵PID:2084
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.22000.282_none_345ca27cf9ce36c0\f\MusNotifyIcon.exe" /grant "everyone":(f)4⤵PID:5336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.22000.469_none_82154d2009b8e727\f\MoUsoCoreWorker.exe"3⤵PID:904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2396
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.22000.469_none_82154d2009b8e727\f\MoUsoCoreWorker.exe"4⤵PID:5652
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.22000.469_none_82154d2009b8e727\f\MoUsoCoreWorker.exe" /grant "everyone":(f)4⤵PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_6f399112972db672\f\MusNotificationUx.exe"3⤵PID:5464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_6f399112972db672\f\MusNotificationUx.exe"4⤵
- Modifies file permissions
PID:2112
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_6f399112972db672\f\MusNotificationUx.exe" /grant "everyone":(f)4⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.22000.434_none_ae734c6bf20696b6\f\djoin.exe"3⤵PID:5876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5380
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.22000.434_none_ae734c6bf20696b6\f\djoin.exe"4⤵PID:5500
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.22000.434_none_ae734c6bf20696b6\f\djoin.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.22000.469_none_aa2bb1f81a06280c\f\UsoClient.exe"3⤵PID:5804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.22000.469_none_aa2bb1f81a06280c\f\UsoClient.exe"4⤵PID:5596
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.22000.469_none_aa2bb1f81a06280c\f\UsoClient.exe" /grant "everyone":(f)4⤵PID:176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\ScreenClippingHost.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5352 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\ScreenClippingHost.exe"4⤵PID:4760
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\ScreenClippingHost.exe" /grant "everyone":(f)4⤵PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\SearchHost.exe"3⤵PID:5248
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\SearchHost.exe"4⤵
- Possible privilege escalation attempt
PID:5304
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\SearchHost.exe" /grant "everyone":(f)4⤵PID:3552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\TextInputHost.exe"3⤵PID:5432
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\TextInputHost.exe"4⤵PID:3636
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\TextInputHost.exe" /grant "everyone":(f)4⤵PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\WebExperienceHostApp.exe"3⤵PID:5728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\WebExperienceHostApp.exe"4⤵PID:5388
-
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3460
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2700
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4132
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- Loads dropped DLL
PID:5524
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,1⤵PID:5164
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵PID:5280
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}1⤵PID:5252
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵PID:5980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1AppInit DLLs
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1AppInit DLLs
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Query Registry
5System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5b2ca1151f83573bc172ddaa172f20c3d
SHA11d1f37de1726055f2f4f7e04fb40ba16404776ba
SHA256448a89afddb9bfd9d19efed398d9102a8e80405ff720d9562b5e2ba2a36bfbf3
SHA512c146e9389fcb66553db632d48a9fb76253f6c52a2037547a242d5b31fa55cebb72f5554257b2fd58639896f3df08985a66dfd76c35ef4103db5b7e2c0a7c8d1b
-
Filesize
649B
MD55ef9d6e4721551c6246f9ce680f3ac6d
SHA1e68eb6f377e24c9d22631ec555c3da418ef8194c
SHA2562fc1b44314684b421768186f23efb045ad037ce3970b683e91a03c7613a3fc5c
SHA5120c7b2313946f6c8ad22d9a3f1122f1f68360c626490f8fed6cf0166d8d32f9c41dc716188fb48b246d74c69d2f85884c5d52f42502b852a6a66ee6a115c8df9d
-
Filesize
63KB
MD51901d2bcbbabee4bbb9804c30642ae2b
SHA1f31774bc12614be681c0b0c7de3ac128f0e932db
SHA25615eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310
SHA512bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f
-
Filesize
38KB
MD5f53236bc138719b68ccd1c7efb02a276
SHA126b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6
SHA256787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8
SHA5125485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740
-
Filesize
78KB
MD5404fa1ec35a8f60a4cbf8d0879e3ea98
SHA1e4f98db1a8e982ff8e2bc4955655c7854d58c427
SHA256b4c8fdaabcdff10a04bd4f6af96ff86588ce458dbc07a3b414d10cf28279c110
SHA5125f860d0ea1536e13ca50e5eccbde280091be01725b036db68030211beede78e28c45d72ab0090ff7992e94469547c0f4d9ec9f9a171bff784d5c75cbecc5b93d
-
Filesize
4.0MB
MD573c8041e8b532d9791ef3987f82d73c2
SHA10ad458c01db820fa808d41d38e282cf962806910
SHA256188698d10b1f7b9710061ec95e0aec55a0cb2239e622fa4f7fdd5d360d00a007
SHA512a5402ec7871867d579d1a9c8142ebce31c23153ec4395e746474e524531dd58781a0644cccd869333c044a41e61fef48e118f4ed46860bc8cb7b90fc60925304
-
Filesize
1KB
MD5294c44807b55ee34e50bdbeb88bddf04
SHA18c36db297d40a167486a27d42541473dff863ccd
SHA2566772bced8ac94f3a028061b10d616f0beaf9c5e668285f9fe2912a49ddee901b
SHA512119d945224b994cffd52ab325a8c1edeaa07e89d1aba780aa31f84f8c8d5fe7ca6f243228742763f01667756b1bdcacb95dc780f66ef49753d42aba4755e5135
-
Filesize
2KB
MD5f4fdf38e2f8e22e546fe865fb8cb0327
SHA1fb39016ab4297901df6a872f5db295fc31b50410
SHA256a0b1e4997231d9eb58e26bc53689b1d5a778023c9d10778cea99111c0c5e0622
SHA51220d2acc977107842f845dd1ef3d59692005e74b289e51c9c77532d20bca8695a7b8b971f6353345a85bac8e046a8d13bc2bb151b8292f5052ea7a76c1a2e6a6b
-
Filesize
3KB
MD5bd39a549c82df6d38c0fc8f848d4dbc4
SHA1392612616632b5c7b5e6d8dc94ecb8753e4775bd
SHA2562b4b61b7326abde02d5cb48d7a60977c7e51b6aedabf829aaee636b59e8c5496
SHA5125f4f0857086cf9916922adbd96ec16bf814027d07257dfce7c8d542bae5e4a7ed05679530e5c2e62aad5d89ed548dc247ce6792835ab2bb0e9337e0d93cf4ee1
-
Filesize
3KB
MD5c7167b0a0eeac45d716479237f69411a
SHA196feb299d76f3460818e18e02462ebb452f1622a
SHA256166ba69f9668f78762a59000307d771ee6cad08fec8daaabb5a8620f6e2d3a41
SHA512b2895230d6e99d9acc9cb8230babaf61a02def493683c81d8e20a2091a24aad9720f079efafbcb7d5c546f3d7e3109df27699206adb793d0a83f18b6f1bf3614
-
Filesize
4KB
MD5f9968cdccfc74a2b563c58a9e82b63f1
SHA1835ecbf0a222753f14b59f2c9a5b6401dbfca21c
SHA256301f25bf5cb9f027d716855c70f6cb6c63d324e5e8629e11e6e013ce96250183
SHA512b567d7c7be003e635c20e3ce2d8ba45e2ac211d429d3c8e485f82cb90ca17e71a83b56ed2186c297631f59a91bfe559f067103e83b01c700c7a7146e0503ba62
-
Filesize
4KB
MD5d66d5b6f67d96526f6a9649f98d5a2db
SHA17399cbd9ab76a560e98e4baf644ee718cdf0b97e
SHA25643a246656a737946695d748df1f444af0dd5ea860026f3dafbdf9f0276aacff5
SHA512c940a73e1f628faffb331498d7a5671cf35560b8fe7fc45b082634118c0cc359975dc009a67b16ce2474357a2b4e42661acc1933936ca065351e47ba09eaffb4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.microsoft.com_0.indexeddb.leveldb\000001.dbtmp
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.microsoft.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
3KB
MD54576a17534cebdaff5c15de0dadf07e9
SHA195a8a2d46583f91b09bbaa4e3d5309fc82924442
SHA25649ffac5795e8e9a79493b669edaaa5b119cc0a24d94ceb6c90130e7defae2b5c
SHA512e16f166efa88381404895d9354d301745216a7884d7b4861d1f73a74d5e00bb0edf62bff2c556d4c84a779342c8e915d82f7e292db174483d2327f058156283a
-
Filesize
7KB
MD542a669744da0b312db0688aea03e877e
SHA1cc2cb94b2bab4086377e55c9a9b424bed6395b50
SHA25633160978d3fc565b6ade4cba2b4fbf005d997ddff52a74c95d36aefc9a7fc707
SHA512b5f22bbace6e056adf79d794efcccb65c8726790a9fc8aee8ac90ca1a6941ea61442161c1c68d64b77a007eea271a3f6de0bc9be6e52015caa16cd763b84f3e1
-
Filesize
3KB
MD566348da9a37e783de46dd05424257eef
SHA12018d5c39e9440599324db9e3ac009a37ba89df7
SHA25647996f4fc3b99f6f00138b8f3a12d2f77a59238756ffeeff1df04dec56636fa9
SHA512e3ff0f481a302f0a2643a6fcc0e900d3ecef0353006ea1067223bb5a9776faf9e6f9030a2a8187c973613ada14b513a3c2fc6ff3709cd0721743030102411970
-
Filesize
11KB
MD5b2166ec9ae776a3d7e11cdef72cd8b54
SHA1ca07d8cc5d56090b69b1d49fd66d53ca27799b7e
SHA2562355f56d096429c0847cfe85fb38ae335e763b23ce1e52253fe0b41fe6db67a1
SHA512ea485aa33dce59149a8c02d46ba74b74ce2986ce0de576fac76e5242afd5919fdea552731f32dc45d7f745d2ba7fb28482962d6fea087dbf80373d7f0669a9cd
-
Filesize
11KB
MD542808159fcd9a70a66b2b2d587167e30
SHA15f0860fc8a1069b9c40d046ff567d5d2b12804f4
SHA256ba76c99a11d151e21f54037885c776d833b7e635c685f8c4b7da6dd9d3910905
SHA512b68423f2f2a2bbca411dad92fb01eac98676a56465ba4dc34c649b124dcf58923a1c5f4d7df7a267b85afcfe58b72fa9a92bd469d1e5667d81f8ff78a4e5f2e1
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5638c0c14bdbd07d803792522f37a5a25
SHA1dd4d4591bc454eea3eb484204fa97328627e87c8
SHA25693e6cb13fb518a04d6d013b7ff3de926070c1b147eba379baa805b98c117cd6f
SHA5129beb6efc810570cf968badc1db3eb4b3dde82b94a56b54cf9f65b3e93e9b2d2b58a2d13519cd49a424da13d30b175b43dcdd03c577181dd4840eecd24bb1f140
-
Filesize
11KB
MD593e8da05ec7168d4a8b38fe5dc156857
SHA134af6c348c8f2c3c05288606ee740fd00d892fed
SHA256ef7e54e4234cb4f2ac0ebadb034cde948aa39f1c36b505b8382ba06474e71ad5
SHA512c6cbbc1244775fe901c7d7fbd9f08413f511b035560027dc62434dd08cb683877dc05f91ab2cd655158586956caa39e456e0cb755bc1d1090d69ca25f2635caa
-
Filesize
11KB
MD55b2a0b88049f8ad02f20b73dc45ce9e3
SHA163698ee5998e9faf6baee9acd09395c000e32f71
SHA256a142e0300b1c95bd7cf4d05340c5b1cee4759f8d28e4972c1436909f35e6dff3
SHA5125e4c592b5eb22f41d12617c7b83ede971ffc1ef729e2f13e2cce7a32c1bfbf67b02e02cc93498bca9bc33895f9861b05efd067dda71c9dab85b5c05ca6cd81ae
-
Filesize
11KB
MD584081eb82f1ca0a8d14663cd917269fc
SHA1659e0e6040f741556f7e15f20e029d319cd90991
SHA256afbb33101dd82086d5cdacbc347087fd7bb6ca08e54f06ca0a29fca6a0b2c5a0
SHA512e11fbc072f963c3edc6b804296f940810281b91e7c0968d878fb0c18218d6bc39376a65a1488ae3d472aa5dc7f7a6bd50033309b7adfb71c87d687861b32760b
-
Filesize
11KB
MD50dcd7ced25d00f49436bae509dea4b43
SHA1998d5151252805cf1bf29e63c816af7aed8a60d9
SHA256833dcfaf66182a98875e694370f1b90235fae791f606632616ac7106e839251c
SHA5124c314c3d3c13e0d8d390a73b9cc81ac4d684a13ad7da2985e7bc7685c6d971d993e7afac2ac872e3c711811c19aeb87ed1b57dedf70f67808e156c193390a42d
-
Filesize
11KB
MD566fff1574019459b341190ecd09505a6
SHA13fa560413164647b50639d8d6228178aa9e140d8
SHA256b0ce11e53d4123c22949701e784c826f69f7bd7006f57ee8d7688a86f5081ca2
SHA512919f812b184d57f0a672e0e54494ee4330dd4e4bc774d8d430ecf9f84cf5b086f45c9c4b24bbd33f165f425e915c4031173469ffd167e7eec49110d62ea97b9b
-
Filesize
12KB
MD5a0faa0a5bb408749fe141b46492f8f44
SHA1ba9a121397a400f880a02f3f07cd6994b546cf0d
SHA256bcd2b563361ba34d8326009e32a653dcd743b150d82400f4af323783a71c6445
SHA512df02697885be76cb4a7aebde768889617c1f4b28d5f35b35bc94ebf7474fa76e7c851d30eb102df83f47c1b4c7f3ac6f22bee8be7776f5393b1567a0dfb04fa6
-
Filesize
12KB
MD58630cf73d1ef38f4f0d5a55c0e27d939
SHA1d25599d421c6075b57576c838c14ee7c70a831b8
SHA2561342621005aca912c73b501fdad340cec13c71e78ece863d851bc1b6db07545b
SHA512b3f055d163636c65eaba6bcec442bf1f4cdc552537767ec2698e2310dc8213cd592533517e79c4d24e60f8231de4206f758728a3b83d8e14cd17b5ba540c5efc
-
Filesize
13KB
MD528441503fdaf79965db09eebc0fa3b0f
SHA1743419cc3659403d65d02ac95a760fe499566646
SHA256c3c8dfb089222e37c3d99f0f6f0e1c348ccef31e6eb2371d1c480629117c1d17
SHA512d7368f1777645c7f32d847cda28f5208cdb8b7ee508c3ddcf9ca69a48e1f89a75584db275e4afa5ef59cddfc6bd225184379f326435d49eb840f32c75b3d9677
-
Filesize
13KB
MD575946a59e8b674d1d8c0d927515e0d2e
SHA1c108f8c33df190e5fe36a4524f0abf6ee724a251
SHA256926fc743852e5ca111f4cbbdebc8face693ce231d85aa4bdecc0a5f8a7375171
SHA51249be6a48d0313fa230ed160637d504e8a7e49d89cb224971e215645782ca42fedc501cbbb9066090f71ea0d0eefcde9a077b10cdd0c3527ef0d369a24f5f5486
-
Filesize
11KB
MD5d642ff4c6ec96427bb8ff76a770f05a0
SHA1fb9ec5dfe81e47df9521a66aca5e922820348c9c
SHA2565db9624f44f5f7d28cd56da6775aecbb8b1d8b72de33e0dce2912b6b9bb1275f
SHA512bb2fa6c68b1411ffce80d4251f9e8ad46b30b9498adb7d766605b7448f415139c297c501642ba7fe296a15c87c0cdcc37af97ce3aff40f8799428092617620bb
-
Filesize
12KB
MD57895552502cb277581eb71264642b34f
SHA1d4391c876a0c2a01e329a29b1584c5bf25207c41
SHA256da9928070e59c8fb43523a56a6f1bffa2fa7db4c1fd870732a48a4a4cb55fb6e
SHA512d917a6e6cc403fd83db439e1abecfb91816ab939eb36593ec5423cc6526a2efdbe1e1a671ffa52ed6dabc5fff2b8dcdf3124ec4a81f039d3ea4ebeb6d2432eed
-
Filesize
12KB
MD5e02a8169a9b048e6637591bbb1130e64
SHA100a40cada634017c1021d4c52cc301fa3d191bb7
SHA256e62c0de37de72b5d7b696c54a9af1ae2efb81665b5b9a623e7ec3e3ce1806fbf
SHA51248dc2daba8b902679185c024ca48a502e4d5fca2dbb68d0b51f450a76807e26a69cb170c0804a4bffac4bef16d340c4e7b93e17214f81664c0e235dee4bb6bd4
-
Filesize
12KB
MD566e263723465e0fe080070fe840343af
SHA14c2280f63b40188b22c8da33870c3baccd010394
SHA256dc5a59564828a2bedf5021c34d8d9617ba6fd979682408e18b0f68c2972c64bc
SHA51202eb73ccf43c00fbadea0ecf36e064fcb8f0ae4c56701156ecc1b453e4dbd58c878d9beb385ef787bb0bafc3bc53ce7434b9f3f42b8cf9243d24da0ce96d896e
-
Filesize
13KB
MD562f0cc1bc2e369f9f341c18bf8595a9b
SHA111cf5145ec43b96331b08e25a57c1c6e17342422
SHA2563aeb5c5f918d0688a3c570b1dc03a0d52eb9a833639d277adc6265308da7d253
SHA5124d93617a3930d57d4928951e817f2ed2b9d80f35ecc763af736bfbfed7b393693c7042e23e494ca499ac2c182b4528354a9dbb2e38998c3f6fd1406f82c7ea82
-
Filesize
13KB
MD53cf9dba39e303c3084385d9aa08fae76
SHA1d5dba4b92bb8357dea8f017c3d0f76e7e2660718
SHA256ec4ed524c5622aeb7fb4b409407e6d6f83da642149ed47e6b43996d017a24a8d
SHA51265e54988c51db64dca769095b12dbf5875ab3d2c4229c0dd6dc113d4225b03f9d5ada04559a921c276c660b0954b0a6dc0099e6b9f4c5e49f91b72de58f63297
-
Filesize
12KB
MD53d05adfdfd3f1766e1d2471efef53b57
SHA19ab1edc9cd3267cd0f3a3730984f84605fd1f037
SHA256d053905c980f7225e7858a66bb425347ff1bec5afe687df72e476ad7dce201f6
SHA512ce2f8ef67c83b8fef7197148e00ef1cba908402452ecc2e6433a9ebf3b6d9aaf873a444121d77a640dc85be3073fb7f55babaad73ffae6dffbf9efc45841c6ca
-
Filesize
12KB
MD5d4425b585bee044fb9216f3cbf15c9b0
SHA136b8257ab371d5028d44982ee47537f1481c4374
SHA256d49f5b9409b55bcf1ea3e9f1a8f21feba04ae6ee4e3f56ff4986878af420d79a
SHA5121efcb5b7fba32c8c49932a24a64d887245fa59cdfad65bb24211b61aa6bdda19a0efaa58aa8eaa3ad6fc9b006708dd9fc8c987b9d5278aa75ec2146809105bd3
-
Filesize
15KB
MD5a8bb56ecfe871b00ae826bbd7b4a6fd0
SHA16a276534042dbb3960221f93b25f02c749a66145
SHA2562b0bfc928ea1bb191367c5d9d0ee0f850c78fbd248395df56ad9feb64ee92090
SHA5125078e3ee603f7e08f7d3537c2cd4bc7891f3550fdb3be0498c0cbfeb6baea202b756d1b7dae2053f3fd64e05e1249ca6150fd16b6fea350a8ccdb1fe21ca5f18
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD55eee2941660ec1ba7d6d0d6d1b5d4b40
SHA166a01287b9dc017cf223c3d55194708c9e237fc7
SHA256ea158d20785bac60cc20dbdac9556078973d365ad1ea347ab5300d3cc2b777ac
SHA512f87a3f327500dcc52f36864b649289a99d1125764d715b9f22f298f6249ce8d53bbbbf4fd720e534fcb01170bc4852ab9833aa2e85c40842ae1fc436cdb0a229
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580ec0.TMP
Filesize48B
MD507bc252cb34d1dce39e8d85972230474
SHA15eab7c097c87cac14bbaaec1ca11de289598d875
SHA256bf9e5be154bf9cadce36f26199ddd0d0de8423856ff501c5608414386e38c868
SHA51226839f8bb3a57e41718aca6d0a52a930151eaa4550e8f9ec4f97bb5b0fcd1782327d9a36b5fb549a732f43b721249d142efa56c279908125e941da48e02a54bd
-
Filesize
76B
MD5a7a2f6dbe4e14a9267f786d0d5e06097
SHA15513aebb0bda58551acacbfc338d903316851a7b
SHA256dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc
SHA512aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835
-
Filesize
140B
MD5d612100d34213edb1cd8e31956fd8bc4
SHA181e3beb584bd71c393252613b9dc1b7d6a7b0845
SHA256f0ce39077e6494de6caf08a25333112b46f200b9bd2417fdac6f2d58a32801bb
SHA51250494af87cd5ede066b46017232135f69cd6420b8ea1ad778a82e225406ab3feb3755c3ada3bc0768e9a6c05cbec8cd08deec196f0ae15530fdf3d6da90a9ae7
-
Filesize
140B
MD56ce4c4c47f44dc13306d0720c0c3ab67
SHA17cbaf872ce7b3c844b76ea58f9c926b2879a7233
SHA256aecbc181bfa952ba98eec72391370864afb73c6146209457b5a79f06b36e6478
SHA512c7e8b763f1d89aca6dd9440e2068064b43cddf24e411345d10b2a66a2ed0cc3210af52f473c3f37c174c05273b154515d3a539af02ca074987a12cfd8bd7bb6c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5fd450.TMP
Filesize140B
MD516583574d0c61e4fc5e03556c1156db5
SHA15e5e005b2e661d1569d28478eac75bc02c0328bf
SHA2568db83c3dff7e3596af529b4fd1f92ef97b46bc452655fa0ed21d6dd80903d5c0
SHA512fd5df60278672a9fdb828bab9ca76f8952fb3d711029c9f5a64355778fb8e97d0fcdc0712ffcd1d5f2c0de57039d2927ece4ccd7d8fe9d1bcc7c296241fa7cfc
-
Filesize
81KB
MD53c20054916deedc98a6619c6c5b30194
SHA12227a0202a4cbba2cfbbddb596c5841e23a4a980
SHA2569b9e967c0499e84e7b64cf47f7eb05240fb1c334c9aa69dd1902dd0eaa56667b
SHA5126a0ccd197e90edd017289ca0d0b64e14ad56cfb82814a4c6c98af979380c91b94ccbdcc31d52c971d0ceb794adfb27d280114433a596240a22ed368da57a662d
-
Filesize
81KB
MD51461279bac6556a314fcbf13e36bcdb8
SHA1367beb244c37b13f6e72a4b68f211653aff1885f
SHA256e61a5555ac5f3d7799266bb867d79166e449f205f9c60333164a03128c72b93c
SHA5128e01232159d889cda6d3148c120d120d73a1d9235da1ba05d65f9cad221e7af64898817cc944066609cef4b2f5d4becb42cf0958a73a3cb6bf49c5beb203df9a
-
Filesize
80KB
MD58ef2a85940130c3cb761562cf5bdeaef
SHA1ab2c1232ccebd67209596dff648495c4f38419cd
SHA256f60cd18f81a430d08137ea18d0979e9e72963038ae8dc4e184432d5d1f6343c1
SHA5128d2cab7b153b79a8836682eb6a5bf3ab51a3967504e3c3a6a250049ea65d25d678fede8ce5acd08f829282f968416c0435ec0122789280c469fe58576c34a0bf
-
Filesize
81KB
MD57c274bc56141a8423d538955434b235e
SHA1d02ac30452832ece8898e2c0b3265d9ded7df716
SHA256593dce14e6ac22c12960e31c6f4e01293b6046e0ea7f162f2ebdf82e0a4d13b3
SHA51225cf130ed22203d3f03e3f628b81ffe6b0859125d9c3f9d0c3017f7456ff5a7a9c22eded08988c1c50cbaabc3b4569514aa9789e0f42ffdd062713961ed7e267
-
Filesize
81KB
MD5003f5f25f962aa184193d3a1c6641b20
SHA108a32a22d28fde8c92a6e79c7ca9fb353c738c1b
SHA2561823bcd8f5dd3fb9f3f45895b7695e74a66b00a87543872a8423e8c7767b073d
SHA5129ae107d090a3c002a2f07c668603329f9c238140919c66cf531c35db10dc53442c3298c4fb341a1180ffcc1923c662c14ac19795e8a31bc1cb0fef7798265c23
-
Filesize
28KB
MD52ee5b130bbc42f85bbeb041d05af114c
SHA13d7d4d8be3ec98709fc5e81abfc1f605d57fa7ea
SHA256e90a2416ae24ac61dc48cf5c24305905accf5f2edabccf10d3271ca307c19502
SHA512c1f4abc9818936ca58cb3bc16947491c390a72c2f682a6f4c5a42680e49d8cac4c152c6d02777deffda31ead881f1d9e7dac415cbb4e620b70ce625d12c51671
-
Filesize
14KB
MD5246d62c4da8aac98732128cb18df5255
SHA1a2dcc41125b92ba2e7153d262e798ba5af64e523
SHA2567a356d57d472cbc3b7751ca7e987b834285596f6af3203362c0b3bf529a099da
SHA5127e8b50188164f756eef5f9053ed20e53994fd8fc3e18cdadac86dd90a6498cf9e3d2ce95b978b6528304d7534fd6570051d7de8d6936d5f707bfdf755d3ebb45
-
Filesize
14KB
MD58596a36da0313b02e5ce8e5e89b1eff7
SHA14a3b7f7f9ba4cd27aec389087a8cdac3132e1537
SHA256e1a5b34b7661911210f45122347bb9d8afffee9e82147c15ff140427ead5494f
SHA51295459a298cd29e6ab0e837bd9514d450ffb6d0d43be9c768bcb542aecff81101c8bc35ac0e122ff851773b1d27e4f60b970912b06595602df7a1060b651710b0
-
Filesize
14KB
MD541cdc7a4916f26c201109efc2d47058b
SHA1f73e137119892b8934012179d782f9a9b4292286
SHA256f1b0a2c8f3aed2eb496704c05ce7ab28623fdb42cefd553ed79ce986e42fc3ba
SHA512f5b58768837bd65ed119bb7751e5270ec83055db6c0cebb047fbb209146a442d87f8f7ac3afc02a987402519e0ed4ba0f4f3bbce13b73f6fbec3633830a24dd4
-
Filesize
14KB
MD528606eea00470b8f6f919143742180ce
SHA11138a7fcd3b977d61d61fa8d835b3e46e9913e4e
SHA256a4225ff73e06665619ca3ab5b5f6c0cd7ba4bfbcd7e5bfc9d6952b8b0da16628
SHA5125bad30dd9295731bb260f048f2e1dbe4a481495cf1925a0e5f8c9399c4b89f8bfd890bb998ce400539f3699da5d8d03c8ee669193595db8c2b6f82dcef74b4e0
-
Filesize
28KB
MD52be0113ce42eae55f7474a208b640f6d
SHA1f6ea5ea1a82a66ca9f3a59e145009639231d0a47
SHA256c27d177642702b4e58934cd3f62434af431bf7986fd118b38fb7eb21d07dad70
SHA512aad42ca842d185a96a398b86c20c1c346f38aedb5799b306bd4b034f643875db443faebc9779753f1d3d31a60a432b9805cb92c7fea703a6754a0cb7a889f186
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8d204171-3ed9-4acf-8a69-f5ab56ba092e.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml
Filesize7KB
MD5c1e67314f172db79d0f3bce3bfb28e3f
SHA1b02026094c98423c59b1de5c3b70046cf510a740
SHA256ee54e90d00a19db61f951e1ab258be31e8335ed0596e46e1d63b55d3aac7ff53
SHA512f5881ba9fa1ef296cda83acff9f6cb42805d08b3bd9e56a4dd5b48405c0ee56265dc44881bad75f553f13e246009613f2e95c043e91a2aac6a3b30c97ca46bad
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml
Filesize23KB
MD5bd6420a318453119f7d7386b07810ef0
SHA17cd0ee6c2916d3fdbc8ee214812807fef14a49a2
SHA256a65634d73ef9f7871030d16787fdd3e38f9953439c336799ef44e757eccfa42d
SHA5121fc13060452432a45ab7ba5381ccf840841b183eeafef032df60d2e600f06c5951d4fdb3aebb16ceb5bd2d4e9cb3f5ba4a53126b7322112ddfb001a950ab7c99
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml
Filesize17KB
MD572420e8ece400c13c939e47098c3db72
SHA13363a6741a9fa2a32137969a271d5d2ab4a1b265
SHA256835dbef357c014b196081a09168255014e3dd8473db7cc9e1261aecaba5f2db7
SHA512e99841257e24fcb0a4044a5d9c1b928680749ded3ae4200071fe8b2922dded589b5f0cde6406fa4adc76f12fa950486a103751524973034bbee8a6ce55272311
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml
Filesize8KB
MD5b61ad94fd67601f54eb6f9383aabefdf
SHA1aefdabafbd2442c20f179054a0eba8665aaa793e
SHA256be3b529de58e1780c4f5b2c0f47226b25df73dfb8b4d2736abbfa845f7371adb
SHA512ca80dc0ff6d7b20314ecc2cd77b6b03d8fbc6404e6c221dbbb26eed0865732555e1a8e749c0067d088c7c6af4ba37c216d32d9f0f2fb4455dfe89afd5df4f103
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml
Filesize24KB
MD533c4f46c3f3d3c67f6da18d03742593b
SHA1d3e64997e8b7d7f7b3cc1adf74d9de997b190daf
SHA25692e41a3b0b1316a6064f9a540ade2199626b3299e74fce88f11e716b83dc4bfe
SHA51246a59909515fa443049b84e237085b045e9c369a9d266e66242099ee5d71df55f8404d524ec6673c5a37c9f1396e287615725ccc7d44d6d39689b36468ab1bab
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml
Filesize12KB
MD50fbf402cd933464575c7ff59e7e913a4
SHA12487d3920910fea2bf7cd91b19c8f94215bf3372
SHA2568fb43bd860037ff0d68e7e10ebcb1ffbde78229206bad02d12ac3b2a1c43dc6c
SHA512504da641a4856084778409dcea2d23f0d92a3fcbf88e672f07d9134feffec0e5eab242e9c68a2f99c664c409a8b4bf8077aea6db9ff2ed7d81b73a97ec17502e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133873917696606430.txt
Filesize83KB
MD50f09637149b9179d847cbc50165bd789
SHA1d0a1f575d8511b2c45daf06069ea3c2faacb149b
SHA25650c8735ee740c41d280243af66cd27ff87729c575b5fec4ebd27937e9ddeeb5a
SHA51230a7cbd52ce750cfbfe9f5b534282ceab5f3073e0ad857c19e195badb15bfa8f485d4fa3ec7cc2070c293eb555b6831c2934ec199c139344d0264e5bab232498
-
Filesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
Filesize
997KB
MD53f8f18c9c732151dcdd8e1d8fe655896
SHA1222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7
-
Filesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
Filesize
40KB
MD548c00a7493b28139cbf197ccc8d1f9ed
SHA1a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830
-
Filesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
Filesize
60KB
MD5a334bbf5f5a19b3bdb5b7f1703363981
SHA16cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA5121fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46
-
Filesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
Filesize
60KB
MD54fbbaac42cf2ecb83543f262973d07c0
SHA1ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA2566550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA5124146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e
-
Filesize
36KB
MD5b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA2568414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA5122c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4
-
Filesize
60KB
MD59fafb9d0591f2be4c2a846f63d82d301
SHA11df97aa4f3722b6695eac457e207a76a6b7457be
SHA256e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a
-
Filesize
268KB
MD55c91bf20fe3594b81052d131db798575
SHA1eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6
-
Filesize
28KB
MD50cbf0f4c9e54d12d34cd1a772ba799e1
SHA140e55eb54394d17d2d11ca0089b84e97c19634a7
SHA2566b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5
-
Filesize
8KB
MD5466d35e6a22924dd846a043bc7dd94b8
SHA135e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA51223b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247
-
Filesize
2KB
MD5e4a499b9e1fe33991dbcfb4e926c8821
SHA1951d4750b05ea6a63951a7667566467d01cb2d42
SHA25649e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a
-
Filesize
28KB
MD5f1656b80eaae5e5201dcbfbcd3523691
SHA16f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA2563f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003
-
Filesize
13KB
MD57070b77ed401307d2e9a0f8eaaaa543b
SHA1975d161ded55a339f6d0156647806d817069124d
SHA256225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712
SHA5121c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552
-
Filesize
7KB
MD5b127d9187c6dbb1b948053c7c9a6811f
SHA1b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA51288e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476
-
Filesize
52KB
MD5316999655fef30c52c3854751c663996
SHA1a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA5125555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44
-
Filesize
76KB
MD5e7cd26405293ee866fefdd715fc8b5e5
SHA16326412d0ea86add8355c76f09dfc5e7942f9c11
SHA256647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255
SHA5121114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999
-
Filesize
552KB
MD5497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
Filesize
2KB
MD57210d5407a2d2f52e851604666403024
SHA1242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA5121755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68
-
Filesize
4KB
MD54be7661c89897eaa9b28dae290c3922f
SHA14c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA5122035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f
-
Filesize
29KB
MD5c3e8aeabd1b692a9a6c5246f8dcaa7c9
SHA14567ea5044a3cef9cb803210a70866d83535ed31
SHA25638ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e
SHA512f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e
-
Filesize
1.2MB
MD5ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
Filesize
11KB
MD580d09149ca264c93e7d810aac6411d1d
SHA196e8ddc1d257097991f9cc9aaf38c77add3d6118
SHA256382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42
SHA5128813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9
-
Filesize
2KB
MD50a250bb34cfa851e3dd1804251c93f25
SHA1c10e47a593c37dbb7226f65ad490ff65d9c73a34
SHA25685189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae
SHA5128e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795
-
Filesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
Filesize
46B
MD5f80e36cd406022944558d8a099db0fa7
SHA1fd7e93ca529ed760ff86278fbfa5ba0496e581ce
SHA2567b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7
SHA512436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2
-
Filesize
364KB
MD59d4f6fc6fd8dbe8e7b498651e0af16c7
SHA129cb40c374a35220b72bfa3ea9ed4ffa1b76efc3
SHA2562acab73e737e9eafa7c74ca3c9b0762a9386016be7cc1ce0c090b00b793a7157
SHA5127db4d7e0d4ca4c6cc2e2d1bb21915cc240656e94547bb3c3363bc068c0ce490f9e0916bb8745762053e05f1f7e8752a8cb1d83916a71e3a098333b32ede504fa
-
Filesize
68KB
MD505627bc6899f8853de9a63f304d1937a
SHA111ccb451025a9b3d1f58b44b730521a7652fdb74
SHA25649aa5fe536281681d0bf933c59622910753c0ee4eb26d96f548cf4b2d752129f
SHA5122a0c6569b1dbf7a6754cb870325eefc028f69a758ca44c78da9ac77b03f60feba862e1bdd230ab6b78efb64e0da056917a50b18dd9adadd7e79f1fbb164eef9b
-
Filesize
78KB
MD575c32dd12eb6a303f16b4561aa4a3720
SHA1628b9c1504abc72296821575f769a14d4635841f
SHA2562cd165a4c0828c814c27b1ce07c3e4d8f254cda4eb2e91cf87b242c53002f312
SHA512b6759d223f0bef67f36ca74bd519e3f2cbf8dbb97ff218fb2f236cf41facaa08cdd6e8949adb4e22c75a00dd19e048c7d2fb68ef3d9d7f790ab7b49ba44b42f6
-
Filesize
82KB
MD5b0bbf69d2d7a34f86e0acea9bd678ea7
SHA1c0343796308bdfe623eb1f0caf99538eb58b76fb
SHA256531ae3e6ae92c7d173415fb7a3a95fdf61fb3e3fcb703a4606c9590225f03aca
SHA5127bc0b314cf4eb625aa56e6134f1cd544ce1f38b84c7a478ba2f34a484ab41328f820a1601a8d0f5ee602a59ace1e496f69c2820ce472b8d57a5dfa5fc8be69be
-
Filesize
39KB
MD55ad8ceea06e280b9b42e1b8df4b8b407
SHA1693ea7ac3f9fed186e0165e7667d2c41376c5d61
SHA25603a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb
SHA5121694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84
-
Filesize
60KB
MD5d25f901a3856dabb1e73c5362c72a724
SHA1ff4a20fa85c72c7d5020f84761677ce44d2d1088
SHA256c3c360cc72ce0f227327c4a2680511f35de05f158cbab4e09c1b48128b2a1f82
SHA51203d7fe826e20adcd911e9887e11b1095d9a3b0e8d584dc0f883e97884b59df078170beb3c2fdebe08cd02ca14d59169c8e35a353b0175b1dbd43844cea3a59df
-
Filesize
404KB
MD50e26aba54f4bd83da2913e9bd381e010
SHA139aed623d74f5fa611fdedf2059d17e11bb4a567
SHA256468f0aa8750fc5beb03b33cb10b40c048d2ddedd19da02dd82a52be93e54ad57
SHA5128335b839ac0fd4fc52b3355694076f91b6139c2b8cc0940da1b8683b72b1d32d9d76d0002d97eb296ab7745761141919b9e76f40613fc84ba082dae6690d0b16
-
Filesize
126KB
MD5e6c2cc40546052d4b6beb5627490a1c7
SHA17ba2e1e96ab78b564a4f095669ebe111802d7575
SHA2569c16bf522ae7eb5cb0cb309d819d4e51820aed39c0bc599c301046f5bb803256
SHA5128de1326817f09b4299efae443b7721839c786b264650b7e5448d5045c7d08d7e27b234ae73b27d417b7d44c956a97ecab55e2176caab05c520580bb4cd7e4b4d
-
Filesize
65KB
MD54f93177181c76bb5f534e4fa89fbd08a
SHA1a51622ccc8a61596ed96a3e12dbbcb6589d1bd9d
SHA2561a87ab84c11297973b31e845e97e78d33bebb516ba08ba517bc7a6ed8011fa39
SHA512ec2b7e69495ff054a97d49a876b9d67d1b733d240353e665b1c8e11bca55783d4d3b693cf97de5844fe6dfebb39e20d1e81c3cdb51f3e4ca48691bef6235957b
-
Filesize
1.1MB
MD55cad688a56837b74aae132fe72140f6e
SHA1288f1628099106338fb1ac98847a1de991680376
SHA25627d85aa797229a2d9e121dcf3bc8ec31661a6e4779d8225ac1af3476264ab4d4
SHA5127827163d172f0da3dbcfdd4b6318e24a524e87b83ee0d6d68de5bce1d443e34f0c9531e98287b7232077cca1ca9cf6291e2e5ae18989f28a9c126d7db0665d2f
-
Filesize
3.5MB
MD545d00e80581a224f60ee62e5a0a9f253
SHA1a1016580c15d3eaffce1dd548db1dd927f9f8422
SHA256a3dcca311b836b0644a465ed48ef726217ef530ffdb296cedeb8069776281c01
SHA5121c1365bbf018caae353f511ca2bb4fdd404c28d3de29141325e0b52751b040729ef2f21a7c845f4708e64d8a7946bcc649f0489a6b58bd8ac86253246a7d4e35
-
Filesize
197KB
MD549b42f4e7c5f4b290aba92258fb81348
SHA141bbe19d3af1e62b9c85bee3b6232de4db1a3231
SHA2569de477066c8ac228f050892e1ddc6e2ecbc8ead0d82e0f3be9c8e9caae8b581c
SHA51218a7860eec7a2c1bf7c13fa7edb95f775614ecb19eccea5a3dd246093b83eca534da7083b85d51e174902e3dc1b13fb10d1bbcc68003f3a92d677e10b907304e
-
Filesize
290KB
MD52c856a4aef3c9a90b19b0df0f00eef74
SHA19865a43fadf6f3919ce1c1a8c3b62e5afd110af0
SHA256b3fcfd5a00e48f0d149b2e7ee1c9f7e879a599e042e55406de09d2b4b9867790
SHA5120a1426252ebe373b326a1aceb3361af70150dd93626ca472c0e059bb025e9773406b4dbb0009f7f9ec9185ead936c5e35a263dfe888d7b96fb5f7e66548f7d29
-
Filesize
287KB
MD5df640b2c1e060347a0dd568a8b66d300
SHA192837dc54b2c97ff8757ac6e38219d07f421e9f7
SHA256bd71f06846a9408798e6f35726302ea2dea7d70d484a7d63a27e9f00c766325d
SHA512aa9afa8d83b60c5c18c08ccb887de91b18107872f771775434726e8d76705d593d57260abd28291fff15298588e24514d7a4420b3f21f4af81e1077b07cec593
-
Filesize
77KB
MD5feafe39b8ea25bdc65de40b088d64229
SHA15799fea352de6ff8d452ca93a918ad4d6e315720
SHA256c81a02a2631e7d1705aa51d949557c140a4b0c1a3865cc4345ed7b66d3dc953f
SHA512e54acff2613f3152e8cd33083a36e1e265d9b72d7b75e3d28e0574bcff71deae500e3cf41c3f3896c746e51d5a3c6544c349d6c9b4b166fe315b657d92ed6829
-
Filesize
82KB
MD5b17a1389ebaaf221038a84e49ff34148
SHA1974fcb96d2285b0489f3efec2a38f2d2f3e5f998
SHA2564df38c77e7ade9c699079479ecb12e280c2b7745a8a8d170b82fbde34afc39e5
SHA512bcba4b08d57387e056b7aad2f03f4c2650548232afb00bf6733e569ab4242fa591f7c86d13ec43444ef14ecaee6f4348046cb98b4ec87d2aa8dbdffe5447a71c
-
Filesize
75KB
MD5a8c464fd13c1f7ad7ddabd07d95226f6
SHA17c7a87bcaf2a5846db6fe48c4158edbde87ee7b4
SHA256b94ae965c22b7224e127646fe9e811a0028809ebc872e095db0e45f89f12c94b
SHA512e18587e082acfadf317fd4126414a0eeecc544bf7e444101f59f28f9ed949991db446f7395021f39994d985a533b25b72deccca0dc2a45855e1944cc75a91bc5
-
Filesize
81KB
MD570e012f11322454062979f1abd26b79f
SHA1a99b08ddfa0f729556a57a8d798ea7b490fa4e05
SHA25693d83f3773c7236a45298a3457118bbbdf77080a7a3296eb202618af0efb0bf0
SHA51265a5d34529842bf387c233943a3e20aa24aa37498041a2c5171d4ebf44753ad01bcca4ff7e4a316dc64d8dc2522e409f60f62565ad07a5eb84594ac94b13cfd9
-
Filesize
274KB
MD5511abcef6c44ebbb73f1c7388d5a54c1
SHA10d479ba97336bfbf5c181c13d2406287cbfe0601
SHA2565d8886b75dab167f80ea9a2de6bf2cc373ac467a00d4ba528aa824836e7761cf
SHA512bcc3716bf028af69a8d72fb0ee18cbaac39e03b78d8bb24ba9235518ed9834e9843d7e1f3e42e9331df2b349318b8bba218abf2b6f5def52c34c9b9444ab630b
-
Filesize
72KB
MD5343be393c8b9082730ffa920524d3ce5
SHA141a4c0f423700ec8b36e3980b28d92d7ddf5618b
SHA2566a378519ae4fa1d0f9b100fd975995564bdd73ce02127b75ea4e376ced028f30
SHA51242b647ef9e933e079d1d4fee8dbbc1fe3d8b084e115b19e8637eb96eb02e5585ca674730af2d6b7fef9178aa550d6a0206c858c840ab7d116af7fb945c05d41d
-
Filesize
76KB
MD5feeabccdfa22431f37d41d0b97d8a74d
SHA1b662c6c286a1f2363dcc3ca76913f0b6d2b416b4
SHA25648b6e9638e97cca94c0261e1ecd6195ce29cb5d10b1ba09998894ab0b44b10ab
SHA512115e2f96f41d3e203219849dc21d7daf14481d3fde426b4f9c6c10c53ed5cb14773a9ca404d0c4a2c15dc5165691bc67bfed185e65c93935f022e3e9722cfeb0
-
Filesize
76KB
MD5452f2733d06c6056d739a60f0944675d
SHA16b6e682193da816aeb512cc1cb03f856ac0dac8e
SHA2563b9ac837969fc10adeed2d2bceb389adff4a0a06d691712fdbc4bc4541505dae
SHA51200e1cdc8773a60682c05bd817fc58b16f3ff9041bbf5fa48dc2494e1781b20e266275d4dce658a80624fa7b1fac9bc795414847c7c4cb95faa12f3e279a310f9
-
Filesize
48KB
MD5e4ba175dad87798fb4ef742e06bafde3
SHA1d5f79e69fb29a70c59a0e5d10ba324f66aa216ea
SHA2565388110906120e31c7900b17d841f5e0ae2e0c2a0f2c40e5525fcb16be75ad35
SHA51251808ad3bd9074bed7fb38c6c4fb1e07465c5fd68e3b610e95d0b2fcc86f0ce75bcebaa6f6803d25bbcb7973196e2108b0d50156140427e8b462d335ddb14ae2
-
Filesize
77KB
MD54ffb743eb44d9369c6f3fa394f17adb6
SHA1a906eb44f83c1128db73b02b64ed7ae54bdb968a
SHA25626fa1abd793e253b2e001c5ab03506390c3fda24792c1ee906da43a6de50c4df
SHA51251d113f88739b3f9eabbda64a83b03e42266f814decf25561bd7d014dad0c23f85c73c9ac316aa1cd1f66674d4b08911755bcb9092295d5a405a2076808b209f
-
Filesize
251KB
MD52504979af88203e9dc9166787ee08668
SHA155e7be5616002f3b1b4c911a588559811114928e
SHA256b588595557d4571c681d726ecbaab9a73e1d127dce6ebfb091a81f1377174b65
SHA512d4c45f48b1247c4332404ff45455a68ebcc3fd25e41a74455c78e7a843810bd7515ac826210c0beed7232f1cd27b3988b463e8504bd68a334c5a1f9f4fd2bbb0
-
Filesize
76KB
MD5c3a94b82f3d3d9c083f37549876ab85d
SHA147e436a7c204c592df414a8f168bc605931d1586
SHA2560a1283af24ddfa7837cec9b8aaff0bed2c55d51799803d10b6401f026b5a3d92
SHA5124b9115a7e7878ccf267f6484b218e2579bf03d9e031b5f1e5a431d25a4fd724dce479569f25395585d6364b6c569953aa2bdfa020ddae12f6672b41bd0398b26
-
Filesize
83KB
MD52c8ce7a5087b00f287d344a38600a47e
SHA1abc211acbd2e4c4d67e6da78bcbc7b8203447990
SHA256eb685de31648c446b974312cfb6266d5845d5d55e96ddce0a8f3ea50a8788fdb
SHA51207d5e49eeccc0ce124cca8bd8971f76f92b71d0020966dcf58db13292eab4827bec66a286a8147b85eaf0e02acf21aecc76f052dd0de632ff5aca98a565748be
-
Filesize
82KB
MD5be0426246e23ebb4da7cf29946254ea6
SHA1b956e56b9590458d4c6991b5c7270c3aa26b33de
SHA256375168ace8119839dd8bae0c34df6e67b1fd388633dba636e24b034c20a56cd0
SHA512fdc692a646468e4820102f801c5bf00468c3821f4c8082eb638de7786eefb97ebf0edb939e0137532847d6b444b84d13e9b2b795359c95a7b77dd7339e924084
-
Filesize
236KB
MD5e9bd5a8f54caf70e74a2090d265828a8
SHA189ee391531d9544eecce2a550314e0a196b6b4b8
SHA25680d9394d7e0aaa9a16b1edd877783eddc3659164c9a93f0f6e6377a38f07a6ca
SHA512b2c353239a1e4cc8c6e4346e9be7b60478c08c7e40a783b9867413b02c39f7f960d23703e63b0e0e9ec07ddb94aeabaff58ed1e69a5bfceaa2103b057338e9d0
-
Filesize
765KB
MD53ec01cc311000a72026edb99624d5754
SHA1ba67debb2bf2e8e4473887e5ae6bec8be9133910
SHA2567a2a4d20fee4b96c91b26dfa4978fc8b38a41ba34827d1100b37e016c287b6cd
SHA51210c730d84a362c0e9229b4fadd10e03fba3921386fbdd537911d3221ab7bc41b696de25b63c968331a5d80d6d1e35fab0d144f3778e9f0e6f9d7aba013f39b08
-
Filesize
86KB
MD5ef5e98b39d6cb21ddc46d3175110fc93
SHA11b023b8028738142d28aa72d767f8e75738fa802
SHA2565fdcf8566eabddb3c0be9e1ef0de80cbf3c58333170fe49d841573af759ff141
SHA512efd69e37a648e71e7a379c7ddc9cb60b6a2a961a47f6329fd67a9d2c3d6de8fc3b0fe4793f063df5603fc7a496473bd29c001381a3bd845769b0e6b10bbd907a
-
Filesize
95KB
MD5146054ef4b7222da7147a3a35c9a6034
SHA1a0455c483d29f2a2941fb12367a09beb93a091ab
SHA2568c41970ebfde9f04a57697a065d526e263fa5698c3492dc976fdc7e8132e756b
SHA51249dded669ea7aa2daf5b3cd9242ef0063415d59463e69e01c160f0bc08edd119e918757864587ce826cccb9c47b585d956f8fa888660f85fa3a3aa50f3c0d477
-
Filesize
73KB
MD5f5eb9a7075153cb765d16127e2725e25
SHA1ad45b41ff5605192efd33d796bed64813a8566c1
SHA256e4d615c2ff01da1ecf420e829e66f14b323b293027a06b97e8aa952629f39f45
SHA51268ecda160c37543e4718c201167f7ecccecee105f7de61957316116814862da9e615523fc50facf9ea6583374f55c4a41794032a0bc59b824eae1b243d2fcb04
-
Filesize
80KB
MD5f01e0c5b9c30cd6474cb2d2fa15c4e92
SHA1d8d52a431bfac46085cd6076bb15b81aab158925
SHA256f82576865c9aedd7ab22ff215139bc053260c21cae0cb1aebd83798f0b357a63
SHA512d594b9bc117aab6271f75d52603a5dfce668df465243468daa4ba0c3ae99d47ad8cd3b0fc0f39ef9d0a9d359e465267c27273edf2ee5890e2f7525b0840e844e
-
Filesize
94KB
MD5993258db3eac84921aaa064806da523e
SHA12e538ca75c8e3a6e4dcc2918ef545e164abe8c76
SHA256f3566de6ea0ba208aaa007c3dbd792d229363b5f5997e6c4135cc0b85e7a6eb5
SHA512ee108ae49b029e412f432a571cdb660df1b95dfb881de2a2a8f42610af2677cd931c591778a9a86d1e6019b12aa486b804b91beb43325172aed9adebf9ae3710
-
Filesize
76KB
MD54d9084e41ec02eb50beeba3e5b9639b0
SHA1554793f5d8db92834c4a68d293219bcdfeb2afe1
SHA256abf424f36439f310b7a003ff7a1e9469ddd12fa9deb581942d6f0d72c0b91e78
SHA51278f7153bd583fcb3dcd5eb0cc8fb092424a28b7ea1c7c5e85dd0b6dc812fd227dff07fbeaec9da9f136e1d9d7a4aa93126764aecd9fd95ac862d56c4882a6395
-
Filesize
79KB
MD5dd808886515ddd8293920e172e3bcf40
SHA1e084a844236930cf7710d75c600df8443bfe9cca
SHA25659b03a6c8fb6d98745fe2e03543117634ae3128c28b8ae38c12c17d481942721
SHA512cbaca6507fa72982c9e4822f0770693c3b7078c2a090c4b29bb5a25ab514d94deced4f03b96251e9dd091e7d36ccab03b25ec0220adc39d422a681d525c6363f
-
Filesize
99KB
MD5300df2954cca5abb3b6ab303530d14b9
SHA1ba2f248d4165cdab5086341b3d504dc3e934df9c
SHA256efd68efdb1f9ad89e3a0e320004130e72e6204961bf0f67238827798b997d304
SHA5128ff29401bf0883da06a468d15b8f9795c617f231107a86ddccb9e4dad39e5ed4159b9d97f10aa758a81d8c4ea16da00dcf23647a9bd5192184b4fdfb3ef237bc
-
Filesize
320KB
MD5276d647540eeea22ea7a30d538835e35
SHA18525a5decc17735a842e98706bb5e38502702c50
SHA256eff9625404e40713e58dea1fbaa4ab368d1c807b52b2501323ecc0f3618521ae
SHA512bd61587cc52a5f684ffbc0bae6221151df5963f496702357ba377d0a8a1e19a60ecc219c38faab8596e53a8a778b24d5fa21bb708f31e9ed4ec871939e945659
-
Filesize
80KB
MD5d342df3fcd458c336e81164d9a3ca78a
SHA110787e253c5499e1a5ea8d3a5f9a160c74ede1d5
SHA2561500229bf884dbff0656c6474491a35000decf225bc3e0fadb56c4f20e310396
SHA51209caa744ecbb5b6738f16a6b27874d3e3bb40fe948b64b5c577b8f31430278a8e9cdd000b52fea52ae0f97b81acf4424f641558357bf544c41e62fe3c9807092
-
Filesize
77KB
MD532af6d098c147a86dd3afad6bffa4d4f
SHA1ee0c2ef4978a5178d61aa7d180eb6f56e91f53cb
SHA256979e3b154c3077223155f6b8528c50082ae2332aa4bb3766977a5e85eb98b909
SHA5129fc0fe485d9d0777d1dd69006db9352992e45a5d17280a57a9dde892f3991f65428b41f04ef9f741846e4a5c8ad201813d10e4f2a0a5770f875a6ea14316c1b6
-
Filesize
77KB
MD5fa29d15e175701b9c45b2f5cd46580c3
SHA18a7697bd35e4999f5cec098dd5bcd35905f4661e
SHA256571952a003c79c2f6783e2153101adaebcd1ee05e243cf7d0c7633234f0b0c83
SHA51228795b508cee1e9991e1ae654f1af04ef3707891c673e63662331bbce3d87998c69241f58a13497ab286ace5a45a14bbdab17c71f0cc9373488a27d34d840fbd
-
Filesize
76KB
MD55d16f59bc922664a266507b26928407f
SHA190c32f4c8e786913b928a811fcb8f7f804049162
SHA256707d1d42645cb9bc4e398ffe7d27393e08de7e787a7e7bf267103b2febe67d79
SHA51258f80b390732898d09b238b77562da22b33fda1f3a900ac3a3e91748806280b65122f752e270894933a705dc1a359f285bde9701ab7d593d720cfb60fe096335
-
Filesize
422KB
MD553926de25c9cb506add73e5f8622a356
SHA1ee5029d126ab7e0eec7d306a4e4ed0d7fc532ce2
SHA25616048d17f54097989b8c453aaa87358cef4eb9dbaa2aac51c97eba8cb214a050
SHA512308991a8a0e7fc70c5fca3ee9f157a5da46c132e0355bceeb0a7d500dd121c93bcd8c8f91e2be638d94ecdea585a49993dc22b0ba95dc93549c6395cc018c55c
-
Filesize
88KB
MD5fb8c0bc3894baacadeb5a6564e860189
SHA11d5927b80122e1c5bdc19ca4c443d2e91524a75f
SHA256ef525ea372970c9ae2c92bd4050b70f2efc598243686ddacaa880d381746a145
SHA512d45ee6f1177b8a9de732008f1847fe52ba89b65b4dd3428b788039bf46ef4a0e7169d103fda99804df14ee2845ee6c10a957b6b035bab4ff709324f17cd955d3
-
Filesize
302KB
MD50fa78e0744427ae456ba2f25ede6de5d
SHA15e67baec9be37452f1ea06055ba018fec09ecc6c
SHA256c80303f8062fa0880233f3bb5122ba5347e266d50b6b126b23fdbe46e85289e8
SHA51282e791c38b56fd0fde5b8c5bb42d863ceec6844aae60248490e5b19169b9d11551ed6300da228a633ccc55d4a10bf6f74ec8cfd01fd0b02a80f23d03cc7eb17d
-
Filesize
148KB
MD55003b1669a38660976272af577f5942c
SHA16aa147998857103254fcaba0b8d08acb713169d9
SHA256269badd578437fd794c67f8fc2a7da87e918908363f63ddec38bf277222d5354
SHA5124368ee937ee110a6aa70e6e2221d0ffe24512c70fc3cc7bfecf53fc861f6840f88890c5105627c7d79380220f0c40c1bfa4f403eaa1525a6cc6403d7081d5f42
-
Filesize
186KB
MD5d4e2ded6c7c9e9f7e26addc5dac82cfb
SHA10866ae3cfc06644996c73192d45780bd6cc2927b
SHA256db73b99097f3e817d908e09efce52e50d6fb9776b9fe5239eeb536cb6c2fb3c1
SHA5124d1d543e8eeeccd64e8ea9d64ddee9ab5b4c4245533d72e3fbd7ff068e85c04481ad3c9fd0119c5b3bb8e0cb3d4f835a0fe8d1833d7c23fbdf14ee374760b34d
-
Filesize
262KB
MD5c9674190d140117be506a070c4ef5be2
SHA151db8cf46f6ecac6cab85a52402fd66c035e837f
SHA2561e8e74e5a29f269157c043718b43c10c6f8beb806a6d2b3f3f2dd542731fd196
SHA5129d41b784a377dc9a1bb61e337ade6acf7f841a672609626697925ace30f8fc574e58ee54388a76b446a84d4ba6de46d72e0b7cad64ada5bf5664c28df09ca585
-
Filesize
1.2MB
MD5221c534deb612992681b0a2fb55bc5ed
SHA11ac3eb5a4ea6a0d876f8077e87357fccba472323
SHA2567b67ab12bd5dcc229ea7f197fcb7723b1c41a517e198fad31020d8fea42e9715
SHA512c9bd493fad305eb4c881eb6c9aa1daf672ec3531ca4871c44f3383b48389db24232b6dfe35ab6e82a5c8bc1a38f68b57fd30e2fab35bd6237d751285fd74444e
-
Filesize
2.9MB
MD5b02d15ec9159d708837121c9685fa551
SHA1577edd3d56f6a92d5248b35cd76a442b2c1caf37
SHA256d23519634fa23488b7151ff1c31cc81e9531033f669d10c119f375198d02e22b
SHA51260305cd9baa19a7e526f4ee9eac425f17563ab4dda0c861cc163b64495e72b547258ff7e804dd7c9820bd3543b2158109b1f72775096a2ba36ce02ad908f8a0a
-
Filesize
919B
MD5a132f4d4f23f1bc40cfdb88223b1c74a
SHA111fc3eea08765c7dfa697cd9cacd18f7a9900181
SHA25635825ad138cec97d3cff27cd8d139377e6ba4d0a55b473b59fb4f5f4b9508be6
SHA512c5284f403c6617947545b0282d935d7e3b2ccb30c67d85920907b7cbd00c01e4c560824c3e7d77a51e97a646aff806879f76e418973a66e2fe1086b8288326b3
-
Filesize
174B
MD5062f3f1fff1deb4e8abe7a16c8aa6398
SHA1c943234ce3e553a05be711da23cbafbe459c5988
SHA256f67ac334038896e37ca126ac4dbd1fff51cd0ffe8c99ed1cb709d64864b72392
SHA512c6bf7e63476f4ba36aa09a133bff02c6d68503361d9487d598b28a0bda631a496810bb9b0ba8c89efbfe16bb53693a6a81c93da1d00fc923b655a070d5dbdd2d
-
Filesize
5KB
MD57f5fcac447cc2150ac90020f8dc8c98b
SHA15710398d65fba59bd91d603fc340bf2a101df40a
SHA256453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850
SHA512b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff
-
Filesize
54KB
MD566b63e270cc9186f7186b316606f541f
SHA135468eeefc8d878f843bbf0bb0b4b1d43b843cdf
SHA25600f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f
SHA512b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2
-
Filesize
82B
MD5b81d1e97c529ac3d7f5a699afce27080
SHA10a981264db289afd71695b4d6849672187e8120f
SHA25635c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225
SHA512e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607
-
Filesize
16KB
MD51a276cb116bdece96adf8e32c4af4fee
SHA16bc30738fcd0c04370436f4d3340d460d25b788f
SHA2569d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618
SHA5125b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6
-
Filesize
2KB
MD5afeed45df4d74d93c260a86e71e09102
SHA12cc520e3d23f6b371c288645649a482a5db7ccd9
SHA256f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f
SHA512778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d
-
Filesize
420B
MD50968430a52f9f877d83ef2b46b107631
SHA1c1436477b4ee1ee0b0c81c9036eb228e4038b376
SHA256b210f3b072c60c2feb959e56c529e24cec77c1fcf933dcadad1f491f974f5e96
SHA5127a8a15524aecdb48753cc201c215df19bc79950373adc6dd4a8f641e3add53eba31d1309bf671e3b9e696616a3badce65839b211591a2eeebb9306390d81cfcf
-
Filesize
1KB
MD55a7499645619886bfe949250e1807415
SHA1152295cf08fcf1e21e26f05969cbb02bd22a8af6
SHA256db27bad6e59128d58031706c83210ae780a9261e01af6fde6323bd30f7a97b12
SHA512201fc4fa1aa035cf09872d6f335d94c97433b79af343d532d0dd5c6ab6ba60b5a3a3b60f466e2c7107c19e04ffcdfa8a016842b4f29ea3ee6dd3d60304d8d8dc
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
6.9MB
MD52c0fcd3dcdc31f3c8a19a43a60900ce7
SHA19127ffc5915e3142410f164ad8fbe4e4029be097
SHA256b553b401f8d8fa47db7f3b513637145453337159d0acca460b4efcdaf5ef5c61
SHA5125903ee1db1677acd91ffab49494af43a2d80add3c1c785a104b1737fc7f158507019a267e6380a95482da8bb9c1d8006b6bed6855fbc9e54e30394a814ed123f
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
Filesize
40KB
MD51587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
Filesize
5.0MB
MD51fd2907e2c74c9a908e2af5f948006b5
SHA1a390e9133bfd0d55ffda07d4714af538b6d50d3d
SHA256f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95
SHA5128eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171