Resubmissions
08/04/2025, 20:25
250408-y7hvpa1jx8 707/04/2025, 12:12
250407-pdb1ls1n19 707/04/2025, 06:52
250407-hm4nnavlt5 407/04/2025, 06:37
250407-hdfv8svjt9 807/04/2025, 06:24
250407-g6de5s1wd1 1007/04/2025, 06:14
250407-gzslgs1vcw 1007/04/2025, 05:55
250407-gmlbmstkw4 10Analysis
-
max time kernel
752s -
max time network
780s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
07/04/2025, 06:37
General
-
Target
https://mega.nz/folder/WmAyxRaC#J76wNbsVS9RlhD0k7bjJbQ
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file 1 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Modifies Windows Firewall 2 TTPs 16 IoCs
-
Possible privilege escalation attempt 64 IoCs
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 55 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs
Abuse Rundll32 to proxy execution of malicious code.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Using powershell.exe command.
-
Drops file in System32 directory 26 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 64 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 48 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 14 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies Control Panel 9 IoCs
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 64 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/WmAyxRaC#J76wNbsVS9RlhD0k7bjJbQ1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0085dcf8,0x7ffa0085dd04,0x7ffa0085dd102⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1880,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1876 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2256 /prefetch:112⤵
- Downloads MZ/PE file
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2368 /prefetch:132⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4296,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4320 /prefetch:92⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5320,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5180 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5668,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5628 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5680,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5684 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5704 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5252,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5456 /prefetch:102⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4512,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4344 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4348,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5820,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5540,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3844 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5324,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5964 /prefetch:122⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5752,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4516 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4312,i,2463655092055193928,2379543797249018598,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3328 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0085dcf8,0x7ffa0085dd04,0x7ffa0085dd102⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1840,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1968 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1928,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1924 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1620 /prefetch:132⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3304,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3484 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4500 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5040,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5056 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5244,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5252 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5044,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5068 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5468,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5476 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5200,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5104 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5112 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5104,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5772,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5796 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3664,i,5667782950481943229,9851121085474371068,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3512 /prefetch:92⤵
-
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"4⤵
- Loads dropped DLL
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\tv_enua.inf, RemoveCabinet1⤵
-
C:\Windows\system32\rundll32.exeRunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\tv_enua.inf, RemoveCabinet2⤵
- System Binary Proxy Execution: Rundll32
- Drops file in Windows directory
-
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffa0085dcf8,0x7ffa0085dd04,0x7ffa0085dd103⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1724,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=1984 /prefetch:113⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=1944 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2288,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=2304 /prefetch:133⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=3408 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=3456 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=4460 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5104,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5112 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5304,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5316 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5444,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5524 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5728,i,734889707556530819,5505879270977104822,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5732 /prefetch:143⤵
-
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe5⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 6526⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\bfsvc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\bfsvc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\bfsvc.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"5⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"5⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"5⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"5⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"5⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"5⤵
- Loads dropped DLL
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o5⤵
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Boot\PCAT\memtest.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Boot\PCAT\memtest.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Boot\PCAT\memtest.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BrowserCore\BrowserCore.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\BrowserCore\BrowserCore.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\BrowserCore\BrowserCore.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\explorer.exe"5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\explorer.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\HelpPane.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\hh.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\hh.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll5⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o5⤵
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"5⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"5⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"5⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\msagent\AgentSvr.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\msagent\AgentSvr.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\msagent\AgentSvr.exe" /grant "everyone":(f)5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\notepad.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\notepad.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\notepad.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\PrintDialog\PrintDialog.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\PrintDialog\PrintDialog.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\PrintDialog\PrintDialog.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\regedit.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\regedit.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\regedit.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.22000.348_none_e2c7a9ab59285812\f\LockApp.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.22000.348_none_e2c7a9ab59285812\f\LockApp.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.22000.348_none_e2c7a9ab59285812\f\LockApp.exe" /grant "everyone":(f)5⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpksetup.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpksetup.exe"5⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpksetup.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpremove.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpremove.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\f\lpremove.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.22000.434_none_38ca096a17805fa9\f\lsass.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.22000.434_none_38ca096a17805fa9\f\lsass.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.22000.434_none_38ca096a17805fa9\f\lsass.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.22000.469_none_b104ba5249e06dec\f\FsIso.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.22000.469_none_b104ba5249e06dec\f\FsIso.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.22000.469_none_b104ba5249e06dec\f\FsIso.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\SecureAssessmentBrowser.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\SecureAssessmentBrowser.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\SecureAssessmentBrowser.exe" /grant "everyone":(f)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..pickerhost.appxmain_31bf3856ad364e35_10.0.22000.282_none_08c227a0c7c9c4c1\f\ModalSharePickerHost.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..pickerhost.appxmain_31bf3856ad364e35_10.0.22000.282_none_08c227a0c7c9c4c1\f\ModalSharePickerHost.exe"5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..pickerhost.appxmain_31bf3856ad364e35_10.0.22000.282_none_08c227a0c7c9c4c1\f\ModalSharePickerHost.exe" /grant "everyone":(f)5⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 9284⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0085dcf8,0x7ffa0085dd04,0x7ffa0085dd103⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1856,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=2080 /prefetch:113⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2044,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=2040 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=2376 /prefetch:133⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=3444 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=3468 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=4540 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4792,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=4804 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4912,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=4928 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5720 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5644,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5768 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5688,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5636 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5368,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5732 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1180,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5012 /prefetch:103⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5024,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=5660 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5008,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=4824 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6244,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=6216 /prefetch:143⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6000,i,11334475130082539470,17804725063862355239,262144 --variations-seed-version=20250406-180222.955000 --mojo-platform-channel-handle=6392 /prefetch:143⤵
- NTFS ADS
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0x88,0x108,0x7ffa0085dcf8,0x7ffa0085dd04,0x7ffa0085dd103⤵
-
-
-
C:\Users\Admin\Downloads\Destroyer-0.1\Destroyer-0.1\Destroyer.exe"C:\Users\Admin\Downloads\Destroyer-0.1\Destroyer-0.1\Destroyer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7857.tmp\7858.bat C:\Users\Admin\Downloads\Destroyer-0.1\Destroyer-0.1\Destroyer.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist | findstr /r /b ".*.exe"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\findstr.exefindstr /r /b ".*.exe"5⤵
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "380"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "480"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "548"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "556"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "640"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "680"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "696"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "808"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "812"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "824"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "940"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "992"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "432"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "540"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1048"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1056"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1116"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1124"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1212"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1244"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1288"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1352"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1368"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1408"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1528"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1548"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1648"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1712"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1744"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1812"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1848"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1896"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1908"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2016"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2032"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2072"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2148"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2244"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2372"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2380"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2444"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2556"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2568"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2576"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2584"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2608"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2648"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3020"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3040"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3128"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3448"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3464"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3864"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3920"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3992"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4056"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4368"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4376"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4680"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5760"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "6052"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4836"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5060"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4800"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3532"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2840"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3428"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5268"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "580"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5648"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2092"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4328"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3612"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1392"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3896"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3964"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5300"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5068"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3492"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5556"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4360"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1704"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2100"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "980"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4340"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2400"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4804"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "6100"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1436"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4720"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5512"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1472"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5716"4⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4364"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2292"4⤵
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=11224⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=11224⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\net.exenet stop "Windows Defender Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Windows Defender Service"5⤵
-
-
-
C:\Windows\system32\net.exenet stop "Windows Firewall"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Windows Firewall"5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps15⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process "C:\Users\Admin\Downloads\Destroyer-0.1\Destroyer-0.1\Destroyer.exe" -Verb RunAs -ArgumentList "am_admin"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Destroyer-0.1\Destroyer-0.1\Destroyer.exe"C:\Users\Admin\Downloads\Destroyer-0.1\Destroyer-0.1\Destroyer.exe" am_admin5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AE8A.tmp\AE8B.bat C:\Users\Admin\Downloads\Destroyer-0.1\Destroyer-0.1\Destroyer.exe am_admin"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist | findstr /r /b ".*.exe"7⤵
-
C:\Windows\system32\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\findstr.exefindstr /r /b ".*.exe"8⤵
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "380"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "480"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "548"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "556"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "640"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "680"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "808"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "812"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "824"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "940"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "992"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "432"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "540"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1048"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1056"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1116"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1124"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1212"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1244"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1288"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1352"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1368"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1408"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1528"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1548"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1648"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1712"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1744"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1812"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1848"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1896"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1908"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2016"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2032"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2072"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2148"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2244"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2372"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2380"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2444"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2556"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2568"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2576"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2584"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2608"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2648"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3020"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3040"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3128"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3448"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3464"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3864"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3920"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3992"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4056"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4368"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4376"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4680"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5760"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "6052"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4836"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5060"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4800"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3532"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2840"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3428"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5268"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "580"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5648"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2092"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4328"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3612"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1392"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3896"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3964"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5300"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5068"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3492"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5556"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4360"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1704"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2100"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "980"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4340"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2400"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4804"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "6100"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2292"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3912"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2264"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4240"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1768"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "1452"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4052"7⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "5032"7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=11227⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=11227⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\net.exenet stop "Windows Defender Service"7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Windows Defender Service"8⤵
-
-
-
C:\Windows\system32\net.exenet stop "Windows Firewall"7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Windows Firewall"8⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps18⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\PrintDialog\PrintDialog.exe"C:\Windows\PrintDialog\PrintDialog.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"6⤵
-
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4908 -ip 49081⤵
- Loads dropped DLL
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4900 -ip 49001⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1System Binary Proxy Execution
1Rundll32
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5b0366599d64b0fc1adb2a712dcd02ee1
SHA1b7a1c09ccd2846664cab5f76bd80b8e9f107acb0
SHA256ae1bddb9e2cc97b0c9cd78ef3cd17553be6e5204677bd67e0b8f7fa27007f189
SHA512d7de6d48285018f8b709c81ca01688126db7893ce9f48829524ee3122aa6f2200c7f78186b5a558d0b1ecf8157ee78a20064b63b45ab89f7aa0835b8409435d0
-
Filesize
40B
MD546576fbe37e6ef4db33a5c78899f7c46
SHA13f6215c316e49037cf7d982d1e3c61c24e2ebc69
SHA2563a7d9bef6f92fa6c1635434581c6c7c18553b9de1d6ea7752eba2fc084158121
SHA5126ddc495cd18d425636369b63e9405bbd58699e3ccbcea9db0e31aac66875583c355f99988b46fd04de018daeaa773ce5199adb4a8b664fddc691682e87825b2f
-
Filesize
649B
MD5047b153d8f61b4d8d6878bc672ad765d
SHA13eb70279ffc015517a64ee566908426ce4bcb965
SHA256101633dd25e9b8935295c5daf9c87797b664146ea293abc66208e1dca20d2f5f
SHA51217bc813222400c0f262af7bdf0cbbda47cdc021d322ad5ae4fbceb7dbc492eab6acda2cf60ca152f67d47cf67ab4227a7242c991a3ae864e9d220869db38b7e9
-
Filesize
44KB
MD5ea015a57e619643c450af5bf9b16e03c
SHA1f4bae074e0d96659af2feb6d24002f6c1225543e
SHA256c973027df2da4a262c083eee473fd2e1587e18f25f5c7dc7ffd9cca037d2285f
SHA512c1b1096ec332205d3eaa3bb9f3b840c4c653a0b263a4638b4a2224c30684bc8e44ac55a6b4620a2fc8a277d62e490e42d27eb718dcea80ec3d8b7e0412002a13
-
Filesize
44KB
MD5105833d5cb941bf191e08afc6018a73f
SHA18bfe1c8d328c11ece749f768173de2a9edc8653c
SHA2561978fb47b8064a4fcab072b2f02d997070b33efd2f8a8d4c7d436b7968a41d97
SHA512e2fdffde938bfc699eb68653af88d92a60546213fafea7a9e45f3c2f41e76d2615e5293831fd7028b47ad66c9cf9af22f19915807411a79f14b8f07dacbcc258
-
Filesize
264KB
MD5efd3967c36739a2efde3c98793f25e30
SHA1ee0bad57b2b8fae9dfc189e7f14333ae2b6540ed
SHA256161fe121bebf8a62b1ce617a0bb00acbbc535b63712ef334a9868214253e8b56
SHA512a7fdaf86e8487720d5538b994a4c9cc09269c63712e0024ee10d00692a3b07effb73b8a19301b86d9d2223e8186102fd83709ca535419dd98a56542b3581980f
-
Filesize
1.0MB
MD5018c100aaf1822db368f1d8ddd098fff
SHA16a9027dfcd1e382dcbb8376fdc2970a88eb9d5e8
SHA25647d8789be33daf3ea2ae413eb0aa1060c5d22261292903d0231dacc0a4d027b1
SHA51259378ad1944d7defa028e1b971dc9105b9da5c09d9e091a0cd66c098b7458073fe716fcc94ac3845935d06118f5a1435bbb0dcd23491920b733b82459993df9c
-
Filesize
4.0MB
MD5fa22618d25bc213260a888bfb70f8314
SHA1a5869cc0a43867e27fda36b45ab26c22af071a24
SHA256e50eb61526e6fd15d819432de5602040720d14ca8b703ed76d6b9de9416519ae
SHA5129751971ddfbcb0c27dc96a7d72dd5e7eabb726957c61855bef4625cd8ed62f40b9813dedda901f98ea5e110dd104e198cd20ae19032cd2cd4ceb2818f600f014
-
Filesize
93KB
MD5f5c4338074f077046b82d789cb732220
SHA1252d2e8211fb2f7801b88e8d29b891299b679947
SHA2561361696afb2eff8146cfdc3fa9da8325a30cdce61ae33e7defc7fd2b7175d366
SHA51264f751224a4967ef7427e6a1b8c5d4148ef10b14e562988b7d9fa3e9a3646033ba506e8fd569860bc806215200ea2a13c9aa2263a21faecba41e0dd738cb1a1b
-
Filesize
112KB
MD5b5213e99bd617eb20e135eaf894cefdf
SHA1711aae35a063cc65a8ce16c97d8c766b5e5cbf2b
SHA25604fabb767f8189b73c778f03970ef440655ea4e000af392e64769c0221626f74
SHA51277f3868ce8157643a3ee0914fd6c4e0c509bf49f744dbb5137882b02450f7511940efba7042378bbbd01aacd0e0bb2a759d8bcfb731dfeb98eabcaaec0e245f7
-
Filesize
104KB
MD53822954de1ec9a48c0db87780dbb1166
SHA1a8e382a2840f7a0c99d02f2b05b851b30b2d7587
SHA256fe910bc51a7ed25e0e216d0dcbc159badbb7217239230928d17d87c4310c31b4
SHA5120183cdc3eb75567153736a2e9ae5687825fab8a050535f655ed3202843b4e859f8d761070e1c7a66bd6576ba72357697fe185842d38b58aef7e4ac85f0adddfe
-
Filesize
82KB
MD544a9c002fe071591c9b4f5e12d6d03f0
SHA111ebb90ba83dfea4138bf3e900441d8c3412e5bb
SHA2567dc57b2df871c944e79816c289f9b0ffa7999418724089a81f28a11eb3f549f1
SHA5125a2475d8aaa36e1b14e267c83bba1322a91747d543c38e18aaed25eae3b95710e8b2a0dec6f68d6ad0f00646f9f158a83c7ce315bc3a331dd6119d787f1aecc8
-
Filesize
91KB
MD54e4ac22bf060098c6f7f3649430f7132
SHA1c53e12f8a61351836a5b2eb5f4f15bc82410bea9
SHA256b296112252b3877dc5b6123717faf4bc3577ac6cef0e599f544b78e308729b1b
SHA5129a461e95b4b28bb429adef3d31032f03c7c89a0d3ee424a9db6e2220cfa131c26491b0db6e27a7908683d7ab64e60f7f11b4313a376ec7b3e479a77378bf9e3c
-
Filesize
113KB
MD5ed0413447156a48b0e6e0e45d28af1d7
SHA1d9bc5fb0651525fe3b8be3de328e354e63676b61
SHA256884d9d0be9ae2c0a81d6899c7b0e84d84337f2a047283a87a7a58d7791d413e7
SHA5121300ab8a5cf04ccef1fbb3b4e7b5ecaf1e104f846c2ba31543d15a21ba48b90e165e86e8f6ba044c60e858629cdeaa7beac78a18e766b6aa2dafd5f991b26174
-
Filesize
106KB
MD599ad492a4ec9b9c30c832f342dc3cc3f
SHA1630dc5365e9ba4c55d634817c4c9f87bc9328241
SHA2567f568c13910623a153749f691f385992d93275022e49ddb5c5d54e9bc2cd295e
SHA5121a5da8ddb5401baa103c3999f6d0c33914b270cee752acaa2ea401eb159945ef61b7184552713ae37ca6974a05bd1d5793ed99d676f3b7253c569372267b8aaf
-
Filesize
109KB
MD5e99181a1a6986b54b1d41267efaf76f1
SHA10a5d9a8e9d26347e973f848d9a86762ba1ba8587
SHA2562bfc579444e71f8c4320eba53d0d7bacf8a2332cba7983ecdc847487b80d876b
SHA5121a1bef46bb4583e741d323a08fa774edda60092d98ba8974dbe16c0f029c73645deb42369a5301d0ab1391f2b6bd71129cdbd73968fabfd5cc6af9ba7ec57f4d
-
Filesize
80KB
MD55be0a8d3bd87e57f6dd553fbd9043b76
SHA1078e15e3e1f12f0f6707ae8992e6b53eea05c546
SHA256919a415598f8e6de9a44b895c3b017f674f3651ff99ec63e2a75687d3dc69ef6
SHA51222c895e497eae54cd37ee424ea3574f29976f2079d8d81c9584119ef3ed5a22c19da1ca9a69e73485483732a67205105b403bdce8ffd81b9858461770a0b049f
-
Filesize
102KB
MD5560784d74d250c807cd826e00f36fe48
SHA1337b7c6c8c4aef2a537468a5d99ea2ddab4adaa9
SHA256f6f8f06d00628ab0b54610ba90d8f2e09d70dd5b080d4a351326cf6466be7c0e
SHA5127139ef550574d804e0ae5fb04a860c6d23b9f061697cb2fc1658d5818808d67a49fb167d13055f2256a90be33c52a520f11b7bfca618e6d9842a6a464fd55824
-
Filesize
32KB
MD5cd3ed9974c93d293cc7c430f5ccc158b
SHA13b26e9f3abf731640f383e699b53c66b738b48c6
SHA2566e375844cb9fec4cba5580005e89014698555b74756c994952cab40e5bea3c53
SHA512d46e471cbca4d1336486e374ba4850e7f37a28945fb3d203f9d8474139f201efec54362f612006278c57b9c054ae1aae4ae038f7cd52cbc52cab23d02ff1ec12
-
Filesize
97KB
MD5263b5557334eb275c6b0e9864b173d01
SHA1aa92ef0051f7bb0738b960d05a74bf86eda78909
SHA256efc4f6aee704b914e1ca20783452455e61cea1cedf009ec0f9f74ff9dd09fffe
SHA512fcf83333931d222b2d9fb09a13bf959ad16a1b56103d8be08a9f945ea32c156a68a560f367f8cb5febfacef0712095101907e1cab6cd84a586b82ab7d7ea935b
-
Filesize
116KB
MD59aa0d7967e407805d89e6b5b7fe2eae9
SHA1a9f19de064bb51a0c3523e17755d705d645ec008
SHA2566f948232c163cc2b8d3c858b0a411c41a55f912b72e74f0b87433c4b3243b4dd
SHA512a338099c0ef989814f057796520644859d6f32c16930bb4afd98394bf7901281b893fe737c11842d02f87394a549492933fa5b601d487ee6f701611f7709eda1
-
Filesize
32KB
MD5ab28b125527f320b4d0932fcea0e86b4
SHA1dc14a9b1f4b1104fad932c967f2123d005263328
SHA2569fb7aafeda5886a20287bb35afff9ae51bd5dabcc07b8da555e1a6ca58fddc04
SHA51236677671415e3c5eff64c3a81ae11714c32095c1141db69a36949cab7df7bb91687aa912446028008f05687d0bf45b33127dd9dff72d59f231fcf2c47faea931
-
Filesize
103KB
MD5038875ff91e37ed43aa64a08ca0bc16c
SHA1173c7259de50c80323211082221f501305c3094a
SHA256bb040b520308a664d00cdfbae65c63db33cad8800429fc6bcacbebbcf4e11d30
SHA51243d2a4097f576c2e319ecbb93e6bad5b5af9d9fbead785f6146d9bcaaeb07e9dabe2b82153da01432ff2e067d30407738b10e38b605f535e2a889704b06a7dd1
-
Filesize
94KB
MD52c2b8d4ce6bd0af1317f6718ac0b6860
SHA1a66f595399490d1157589ff17723301d8a2d0f23
SHA25662ec4c2c400a9270b1fa2e4c216e60bcf45e177c6d5fb572a58b5f16008bc8aa
SHA512d053462c05b6dd44253f1f08e64b4264df396475688292c598e997724c304a3fd10c42a6ebadadab3fd3b5488014cef7c889424e8632b26e38bbfbc0d74419db
-
Filesize
24KB
MD5f9d97bbf8529ef80d828b8bf73632c8c
SHA141667e3ab143a12cd15c333813b193224b888df4
SHA2563aa1dcdaa93d0bbeb556a51d7acead71e2ad9dd1528eb9618ae85be8264f0cee
SHA512686228d114b6ceb4beabdac4a7e2dc663be034cd032ff5a352c1f68b7f1ba7aaa9e3048e8efafddaf423e0268805cdbd28b7aa616a139a6fb8292b07fa254423
-
Filesize
112KB
MD524b261e83927c15caebddadc11764772
SHA1c914b7e7b4d434a935067c4b2027caa147791e49
SHA2560622ae7bf7b18b80bd89f9e86f4df3d56ce35cb48253ecbdcb25e1e3f0507b9b
SHA512cec91d7bd9195e1a09d1a4c87f0ba6220f0d5bcdd5078896b87f14ee4bf51ac99179e248b099441f6ab18cff707fb1d01b584735cb820348ec572a157517dc18
-
Filesize
97KB
MD5af53f6286ac2c1dc0f538f36e7fb59f1
SHA15e8a2a0482d2273f52e4be1c7df83f954734fb1b
SHA2567e681ebe04a6f5fc6d28e08b5ed6a0c8784e44e3d40834daf839090fb5182ce6
SHA51222a6cec04ef8fb587debbfb9f492d855cdd89ed8f56c726687f27ddb250581eb735aa3d2288d336a16b380bfca2b98fe9092c72ed497ec13f5826859a98312a9
-
Filesize
100KB
MD50745300dfc57c14ce5c83a6b29bde4a9
SHA19225460653d84ab2f7524c268c8e6a950af3b252
SHA25637afcff4234282351bd40bdb17002ad3c6993060a518f9787e4545bed6db8c26
SHA512909d0ab73d341057f17a8f916fc5451ff8a00629a58fdd44f54ab9ea590a530e4f962898e426f89c53cff6ac8c1fa5239ccd02471bb296ccb3449ebe874b6789
-
Filesize
90KB
MD522056b7aec8137db7e8256c5174f2012
SHA1bcc8554fa68f08aead55f7ff859567690da8a78f
SHA256b54102efd459c5e86e3a655d49054f72a0ae37d2c0f49a61823cd8fcb9f2694a
SHA51280580bb541d2604367b93bb1499604923df7e69fd64ed94974b7bb6f90f7395e3e69006e25bba45907e6d8d96af046aab3e0472549b008767f2980055fa65b7e
-
Filesize
45KB
MD5f1e0fb4f23154a994c449d31c40f3509
SHA15fc2bad1bdf494aaf3721b62ada79c10b6301a3e
SHA2569f181f1b68b5fa438b52bfe20ce1c545d0555d0193514540e50bfe4197b10cba
SHA512be02fcbc7156549574455ef1ca5cc6dfd3f19648e98ba573cabdf54e3d740a52ce8585ae3b3eb5119696c8017ece822a400a57fa06b513112f5b3682fc47c1cd
-
Filesize
88KB
MD504aa3a4bb657c56c19ff316c1022732a
SHA153c3c94ef1a53f2524cd01eda966656852f5a221
SHA2560b86f3bde3c5376b9ca70d667f3ff0793e6277aedb3af8b54f64c634bec311d5
SHA5123b72ff11f0063a77075a9dcb73c4b1b927adca35d046ccbecc39fb6da7548d5c885ac023164ada4cb654688ce72304248376dcd7de811c5495ebd51e6900bdf9
-
Filesize
89KB
MD5f33f9ae792ec7b4656947fe4eb83c566
SHA101b8c8c05e42ee5552a3bed6ac29491108903225
SHA25669cea3a2a478220ba8347f4e42363722341f7a2288ad6889a7af48d2c0cd12f6
SHA512ad51d78166d873a1bda11e9f2701df8023ea8698fe981e61e9363270c690cc0b6005adffe7320728f873f2411dc487e285cee9f5765f928448739b93dba7d6c4
-
Filesize
48KB
MD5aa82fc7241f57a1e3327d2381b748758
SHA102fb458b23e893bde880597c70e39984f8a340ff
SHA25668ba830fa316b7ce8607353f984173baa766bb07e763be275228a6e9dc423e8e
SHA5120742582d55edaf13320276ad0374ce0a925073e7c70749a49f5e4f5feb35c1678ead6da0355cc0cbe81774f18cec5edc8fda1daa8105b763b0e7087481b9d886
-
Filesize
87KB
MD5a0be78e86424c26106ea2fa5c3264393
SHA132d0550421d434a4b61d8ae1e5ea2383ec403ce3
SHA256571b4ac1212e81c7fbaebb13ebb8b12ce366a9b8728803a0167a7d5ad080c747
SHA512a61e046bc07f45d392faf2e1a2e2a2e5014054cb76a2bda0560458e8a50f8fa3a75f75993f62874910f4c0157bf6f6e96eb58ab7b6a3e6f6860cadf97acaee63
-
Filesize
79KB
MD5d2b6330b07c55034ba208d7cdc49098e
SHA10514f7f246ec5342f9b1509ca765ad355ea3e303
SHA256edb146b39f296a38b41604a65ff243b72b94deac1f5280365298fac12a753410
SHA512dc8376f6238b382ab727ce2b8938379961fe7768d45f96aaf7f421d2b142c62a96d5f9fcd80614bebfe448324386b69e1e51d24967d64fa890ddfdf158e17a6e
-
Filesize
95KB
MD59208ff4ec6bc5d7185669e270150b827
SHA130a13a9095e47f37da4820e55c59a0535768a1ca
SHA25606d474b0c4fac2ec974d85fbee63f1f0dd25b7b9f07730c02f86f5c7795ccb3a
SHA51253557fc78fc9df2a871c8f4741946d9c78c11582ba31063fcfeb17a7ba7ae02ee163e12062d6a2a1ed3b7221251229200c4ab830fc7b62fed996cd56e85930ba
-
Filesize
107KB
MD569ef79d29e50b8dcce39a6929be3875f
SHA1693d7e59b2cf3e8f4ad1c23dd8630318bbc52975
SHA25682d22848d54d3581f417d98baf730513ab6460b449521b12924bfbad8bac8c10
SHA5122561ac88082a66992391e07ff0fee0b45eb5e9648316384d98a6dca89a907dcf2e4985f39718193d57521ba5806ecd83b3a386bebd1b238c82158ac0d41bf392
-
Filesize
21KB
MD5b1dfa46eee24480e9211c9ef246bbb93
SHA180437c519fac962873a5768f958c1c350766da15
SHA256fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398
SHA51244aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6
-
Filesize
3KB
MD57e4b9aa2d59340158913a468209ec4bd
SHA16393bc897112e258675281c096601062880c9510
SHA2563875d9b01c3cdc10c672973a735c9470ad9b8da8ff7ada071857f45fb7825550
SHA512b6f55521d533ae6d0be55b4d6a49873c77f3fd981be369cf8484a4ead651347cba7c842f6ed3d4c2e34a21383959e3a77aeacc063cd1701ba5853de22fdf3c92
-
Filesize
120B
MD51cf0f629870b71f647989e414a0e9ca2
SHA12395f05357893f6cd0df9e78f156ba4e848b7c0f
SHA25600578830dffc71aec280146f147eba79cd3cbf5051396c66a38b2c52942546c7
SHA512f314caba8e4e5726630e7d0d0bf47846ace585b4de4b90852f4dba5fdfa3545cba89224818ab14f29c4b1e30325edc175685f693f8c3ba1dc42e76df36597aa3
-
Filesize
2KB
MD5cd15f895638326307d0fa720c3ab3e00
SHA17fa5bb4c1ce802e64239972cacc65b5bf4af38fd
SHA256398fa5bcb09bfe2308a748cab200ffc8bfa488d7c3493450d4309b8b1872f967
SHA512df4b70df9c5a5eb68e8670f9019476a018fe18bb901e5e0e6567fecf99e2c4e74b284218c50d2f570d99e61c9f4d1febef3640697dce9d44b0dcc7e475fb9e62
-
Filesize
2KB
MD57ee06c11b05cd4b743234c423e57e857
SHA17f7862c4ce31de6b19a4d3d5e0fb6dc236a34f0d
SHA256f34654f3375483b352eb086ffb4a77f25cbf126e1b429a0a5701002533347e2d
SHA512ccdf957508092b2cc9e380431abc3464f6c5718b7ca6f75f627c1d3f4835b4b5ee54a8fcf0957500736e13d741a4cfff63f5e2cf7641f973761f4f9da5a62348
-
Filesize
264KB
MD56eedf68a445d019aa9049411c8802b40
SHA165739561aa5e232b9b37e9aaff708a1ad99222d8
SHA2563ee1f5c1b724b890aafdb646c497fbff7b8c4dc10387a3d13236ff8254243ec7
SHA512b44b7267971df2ed52aa7a3e476a43d0ab1644e2d1261edf3d0079b37f0647c7c939d719d79d4fdae4a269b0c3d6c7363b6479a99a82ba504d9c70b50e49cab9
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
160KB
MD5f877ca84cf0c9b8c8586a1c07a7c14f4
SHA166da0ab6fd0f8099eea570fda8873f8514e8bdd2
SHA256c496aa60ebb960d2e033328f60a5f5713f07ca1ba4114a5a615936f9e7c4f61e
SHA5125fc6d5371e7150124070e31ec6e63dab836289af58c80f64886d2bcb81636a45d6f96780a2a995472d4f2eb9426ee81c209d7a492ac5b073ecdcf9c6b0250d94
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD54de0f7bf6ae12d66456a21f2ba4425b4
SHA1b6d1cddf61793f1e15d6c77f6d314c5a77deeb94
SHA256d7fe9bb12208e146c6669a5af7b19f1f866c10799430abbabf49b27fdd0cc482
SHA512b0426cb09f707f7e67580870dbecc8962c74028a6062ccbf43c7a71cd621a8ada6970df2ec022c50c3192c57c0f3c62719dc77b54675fdccc97954c301cf38c9
-
Filesize
6KB
MD5fb98650f69b96380f1f44b977726f450
SHA148c46eb1a652c6cea6b979077efd72c5fbd0aba1
SHA256edb9ec725218b3458fb874c72a0d695ae31d795eb87ae3df2a80d992648e81b1
SHA51229c587d8996110328988ee023cf128564204319b8b1ba4529ab31da326767f33bd87e1c6fe9cdf30e7af06b7dd16876164786371e8e9b3562b47bf65bf7b8037
-
Filesize
5KB
MD5604225e2c1b209109f68cc4f9f513b3e
SHA1b4302462026ad7f3b11ab262896975da83e3e263
SHA256493ec77582bf02b426ef0f64784aa44d90db332086b58e9c10eb9262ef46c384
SHA5121dc1dd88038cb06c0956db1ed3cf382edc8d32db3c87361ee7be0021cb1cef4dba8b7180bce8308c275e5274b26b77650ac956851e238d39cf04573b3f86f1a2
-
Filesize
5KB
MD544d281352041a69b62924587d4243a17
SHA1c4ccf3ebb85dc156761791ab754684296263f8a9
SHA256b149580f2b7221d3eaa675409e5528e441b1607d23d57ed94cbfde8d3d27a0fb
SHA5124622ba4b86994fa27463266fb47812127208f5a82d6c87f5c7a0c3faf40efa5d75a3c99d7c9f0d0eb6018adae932bf2648ef527e7bb2878d9b039010fb864ae0
-
Filesize
5KB
MD5718aff7fe765a667f19d1ddcd1791bc4
SHA1e4f8902bbbe87d8c56cd9f53382f5e9faa7a6ae3
SHA256f280c6c756bdd0062b511f6764da35b11c58a5b5fcb299735a6a2212fdec2680
SHA5128e817d3300f93de6ce1bb69c28aaf6e4ec13b44b3897b43808eb5caf8361e7841baffbb488d46b9f06ca4da6aa65fe0b82521451c649b401de313a77a60eed9c
-
Filesize
5KB
MD5a6d66e175fef1352652d99eaf7c9372a
SHA1b0c15f36c6bc62724bd8a1690be9de6249ca4310
SHA25697ee24c1b84e261ea66b3edf4544d2e846d597cadf8a20c3107833f5a47a9064
SHA512504c14970b68e3ed726ec9977ce615eda6828749bd0b799e2e81ca6bddc59a96be8058960fd61c40a1271ffb3de9e8e7ad04231856de705af3d5eb4f7cae5da8
-
Filesize
6KB
MD5de06fe16a2fe34d8578f99aa2851ad5b
SHA1e39fec9e84cd416f18c178f6c0bfb316f4545221
SHA256dff66dbc9eda4806c1e03ec1dd9641d65a624eaf44fa6fc30e56964239835720
SHA51253cfbf7859370e2d9c0f7fc03485903d9d8231f75b55810bd4664e79c1f2353efed5f3ba7d1d1a43c042a07c28a58e33194f65a3e4fbdbd71bd118319af1ae07
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD59fa820bb57990e29b9d53b820a96be33
SHA1c75ba8c42fd19184496b77a1f0e774633b88a485
SHA256d97c4af9d6c65d86879ace9f81f8875ce5cfae8bacd0bac8e90872018558c9db
SHA5122c6bd7912a8970ee793dbae8ef70a98f5d5c94b954baefb2ca59958321d9ea4c30809501d65539fcb75e25531afb6dc52f06c4d0ad43ace45c8b51d622bdf607
-
Filesize
1KB
MD5fbb1cd2cb76010276edfab81f840cb2c
SHA1c6a52738331126e175b586b65caa71f10832ac4c
SHA2561a6bc7741ec15287ab70a23ffc535ccc3a4b14bd61709209605659d8f1567401
SHA5120a1c3f55a3bf974f3a98f2f5186d7cad4c64387ca778ce634b520fbc4a3853db053e746a86d504ee8e9b12cc0089b2c47b47f251e12477df4165d1426b7ec33b
-
Filesize
1KB
MD5adc023f2ff360055d92933aac9ffa591
SHA1190f28c09febcede485f34723cd790115ad45070
SHA256437135efc150dddec7c2fa9331debd81066c9ae816b146baa872d8d4b48a0e7b
SHA512c10852fa04136388884be01dbcc8e92ec82c7f40bba7d59073e45444aa86b543318cac40cfda86f5b819ae645f974e2f05c1d85d122e2433428d109d04fa62a9
-
Filesize
13KB
MD5d6d0d8d24353bfcad1eb93c02b1ea1dd
SHA1bbcad787dbcad3992b5879aa1abf59c35eb5bf58
SHA2564bac074138329c2d1f2c291525f966e3418d91e30622e926a7c70798c4b70b8f
SHA51234964448238ff22449d82dea552a8b359c45763378b9e9e76e7fa0b3d3df4ed0f18dd36e23e99781f56228513a52f8139c03043e1f626757d79c0cbeb4420c8f
-
Filesize
13KB
MD523cc6dfb606bd40377ed509b2587c024
SHA18639d6ac2e1d65426142dd121ac5ac6e3953a985
SHA256554dee8842b1316246feec7610193a41c294770c8781acbe026107d10a7acbc0
SHA5121c4d2394c0ffaab12d56fa213078cbab1d47959b03a9f6a62588e876689a13f833c16d87974849f9789e117f035e426b7b6328e32f4e7fa631d3fee57c69ba5b
-
Filesize
13KB
MD55aa71cab1fcc4547ac3ee2ac74309e19
SHA1f0f524fa1cde01d1846b3ae556f5af5778bfae60
SHA25624a8c740730261beb40e5d56e7b3fb432e400cc7669af6550df8ce73cb190949
SHA5122123760ecc1faae5d3228014b38c7ebbad37d1acc0173c10a39a9d4169a2e17d1c0d0f70a43e701f1f036cb5acce1698cc5d9cd98e1c029d9a224bbd8462aafe
-
Filesize
13KB
MD5e85d4fef82d111fd8420feeebda54d53
SHA1b116a40948aaf66f315e9cc54a3675edc4000d3f
SHA2561189faa5007199a96125d338e679501599cf8c4704a30f23f1bf7c0a67b28c3d
SHA5120d7f6cf94e96e0df3d59d42f02b9b6cada053e484b2f2e1cf37f8de8f84443ae28a064b9e7bc3b5c482548888f3dc1183d94d4c018903e9f0f846044be05fa31
-
Filesize
13KB
MD56460bc13354d85f66ce35ca6d667d220
SHA1738abb1db12a1190312025d5239fd16bc83bf01f
SHA256f3901626fe2b6ea467ace47ccaed3a3a6697c899cd2bc73d7bccbb27acf535ed
SHA512b7a18b47bef24e41c2a2ef24eb4eabfbe35d0a555bc2b75f44fa7b15bfd9f7f066e7452f80dd083e22924ed726dc7a76b6c2c7e1494483751b5ecdd38b7954b1
-
Filesize
13KB
MD5cc48e1723622b704d5d991946b51988c
SHA113078f42ad9f0b2a9919635e4e1f4ca7bcbe8969
SHA256a97e8e1cf677d84c8e8cd2d5b1c5ab710c8c4bd021cffa834765de14547bac00
SHA5121e43f492e78338990c33832b7d74a1f0e3aa60a5860690091ff45d34cdf6e8674580fa04e52be87a7314227ff2be86a115eb1f83244258486711fb73d3a1bd0b
-
Filesize
13KB
MD5eefee371aa371a6409f49201d0b67cf5
SHA1edb3b88f95a32bc08ac5babbe7be84d016d681f6
SHA256395a5fa572876cf3b3b8a91c9e62a51a45a92e0c7351256ebbca4ca8e94b7992
SHA512c0d3faa9a0881cdc2c127a7628cdae4a174f2117f1d96bc73016f0ec3670b7ab3eb83f92ea2e23d400b455c0f42cf1bc0727cd832c9fd3cab7ecf5bdf8b9b89b
-
Filesize
11KB
MD5d3748eff46b4bde3fe312e41f58d312e
SHA1118fee05fc5da01401391d92c57dff4cb00589c0
SHA256e8c48ca84c21d96157b9f24a338ded42421b57ef94abe4f2a62c37df43816036
SHA512d8e7524a2a96225a58c3a929412067e5ce4ff1c2ad5d8a128d4a71ce43a623164535e536cd58adf96446949ed5184d30ca3d42ae2e4619f8dfcccc4957f19203
-
Filesize
12KB
MD56166562f2afeea1587b12e3f79768194
SHA1c695891ee2704970c4e17f301f1f4433d9f27c5b
SHA2561e39352297420a96265a220a9de20e92fddbff492c2fdc52f25b34af0b18290f
SHA51225cb2649dd7df14fcd3d7ce5ffe1800358c85907c31601d9232f71e0369ea4b7467f7fe678c36e4714b733138284f387a064b8cd5db473f53380be7d2fc5b98f
-
Filesize
13KB
MD555cf544c8a365e0922ef8f63855c47e2
SHA11bd6d82cc51e23dec556c9eaff2c299825664e62
SHA256f81f5e864079778c47f1bb978d9f6486d2f058b3eb285443d5bf8de4eb17bfbe
SHA51258460e89cdb617a507cfe2ba45bb6adb035e57fc5c7d46913b366738253b0c8ff73e950ae0cba1d5ee42ad9c45512d6e38c93f3a8620e24750372a8d77161769
-
Filesize
10KB
MD5247c6ee980dbe3cb58fe74f5cc9bcabe
SHA17b71c13fb6f88657e909046b6e97f00a904f89a7
SHA25614aa4f66d98f4227024625f8fd799f8d823b97d166dd84c4149c02a9c31e4013
SHA51246d070df5f622792c51a26bde80cabc1926e4d1c6df90e18cb672d8253c3e82d2d26b780bcc4c498b7fe370e365d3c1c321116752794effea7206132076e227b
-
Filesize
11KB
MD5e952c9e46c79fcc398d64d909adf6e25
SHA1bd8b163332386646864754d5d8833377b5f481db
SHA25667eee90c7045e8fb14948cd0d9ebbbeae576520c428d819bb3151de4c5d2008e
SHA512cb3579ebb4fce1f8c3ea859800f50faa6291085a0658cfaf94577ad96f031b1bc1cf4c273fa526ef6f782cb4bd24a14021246eabc0400496ce129c1eb763613a
-
Filesize
13KB
MD5e49c6f62b6fe9fee48f6b5bae5ef03d9
SHA1d2e837c7fe024812827a53a4752eeb795d2925de
SHA256059e9ff37926ff89f44e8dd2f57b4ecdc67c891a38f2e477b9c5a499a09218e5
SHA51287f629cd5d13f637d04531a34011babab41d6372f57fc0b74dd4dfae7a5912b092251e4e2fbd703b00476e6563d959f9622c726690f56f98ac1a4f5d6523d989
-
Filesize
12KB
MD51012788f806fff0473e920cb7405cf56
SHA14213e501c62a4311e704821590dce82d6ce494f2
SHA256e08a70fb536085ad197c645e945bb1865d8a421ff06c2a825c25fb808628f32a
SHA512050e95bbe2e5edac2d8fd73b3818c2539c4774929c564b8da9b271b0f75115727a85420a3db6db0321f6e02dc92959d1b8fa8206a7bde6d2253dadf9eb5e3b38
-
Filesize
13KB
MD52e1e60ad9eb52addcc57e47084f0300b
SHA16503bf723165319b8d0532ebd5436ccb3302b299
SHA25677ad9e7699bd89ff22c3808f0aabe18e906ef3c2c4b06d1246f9399ee535f629
SHA512f9235b2c1de79a5d0521f667f33437e1b489ec2220c6680cad3bae037924d32b05aa241b26e7f9588870a43b0cf74e7ad8f2f00d83d2b6d2c4f62188bb6ba155
-
Filesize
13KB
MD55be4e5908d505a876c0b20076b2e832c
SHA1900c08d803c3f5cb3cfe0bac54924b978b587984
SHA25672dd80bf16652370f8eef4616fef025d48956a72745c7857b67665f3e81c251e
SHA5128d3cdc90b0d1e7163921e4dfe6c7de53b71f837a31dccadc7ac57f1b4697de401684f80a2e301de345126ae015a1a1c03a1db83a418a2598ea6af0ed0cf86d6a
-
Filesize
13KB
MD5567d3106a58f6552900c503f367d8591
SHA18ac61298502b3338edf4530670c7043b8b4bdc82
SHA25603ce1b39f417dd46401458ff72ca1219b8d508eddbe3d81dcc41723e1d83ae82
SHA51287382a2b369525d36f17fa2f637f8a3e1b5bd2804382cdd6a03f251ea3d17a11d3e60aa9297ec2953104a5467d0eefa88e9dabb28a44d9ee2ed1580d371379f7
-
Filesize
15KB
MD569b73254d9fba705761cc4ac24b246f9
SHA1fdccd69dc5d5ea1683dcd275cc4bed830ed0db67
SHA25679350f75b31ea293964b7d01e77fb8641a1530dd13ff2292a9ff459ccd4caebc
SHA5125087328ae5498b4812ab8e28b0f912550e2a40bc08ecbe20af79a6efedeb9234c76a42cfd3669a378272a55febc6dad58e4d5c75802e97db1d55a8c06ca3965a
-
Filesize
15KB
MD57245278783428affdaf337313acab55e
SHA17860e099377b13a214b52d7bbcea9af6a9494f40
SHA2562993231628c4da67d2ff4080e77c659645d5e1cef6ab9cd909200ceff1579d7c
SHA5127b4eddd6ad701b25dc9326840c302c38bb4a394a6cf653d4006cc266d82a560a6e2f87721e95f44bdb923bf4c582a2546bdd62d4db95cb7bb4780f2d44a8e0de
-
Filesize
96B
MD5aa8e322a6c33a3ea7c8d34b96b6fc81b
SHA195dd8e236c1b95e9e98dbcbf4c92c24a9bb7b5f7
SHA256d78e703ce2efd0fec41d2c7d4b5eadf0a5516568d8928dfce843234976489ca5
SHA5127b334cb297ae3a3357f5811dc497f9154e35b4cff5310104dd081e3257f79727aaf33027ef9d21d571704e02c190d3ae1fcc0ea96577d40f171d906ecd3da67c
-
Filesize
96B
MD55a0ac3557682b814ff2d48975b22e6e0
SHA19f94cee0f5b990fa11af7d1bc98753351ca97ca4
SHA256aeb197f61912f5f139478332fff3dfcf4e2f164923150008e1a2e7d5df898f9d
SHA512d4832b75c0d2509eae827d11f55fb940c5fda9b2320150a8caee8135022c8eec4881e9516d4f171ff76ddcdce38b8a990ac7ed3afac0cf2b92d07123f09a121e
-
Filesize
48B
MD5a71c78c3c097f22369fe7c0fa8472978
SHA104e963456fc74494a813882638416a5c55394fe0
SHA25609aae2afc91e55ab890ee82891526b93b8840748f9e6eca75e90be759aa2ee18
SHA51200d35482f6b8f6f843a868b626b8424daab6a54df546766bff5f6f1cb583285e08a1fc2a467682206cb117d398219343961e02b6bad787bb1c4483e63a4ce515
-
Filesize
321B
MD58c0563e59569eb919e28505aa63e7713
SHA11b7da724850e68a38c8ddaf999d436696706587e
SHA256a52e159e2aec5ece6794d37fbb3f691791ebbf1d289cde8057ea61740e34ce80
SHA51215aaba6fb5afb67742640ace938a487c9e5eb228d66ca54b43f3e24ad446105c483f7e45cb240182cd45257c39630769cea30991cc67e99f63910e2291a7a5c7
-
Filesize
13B
MD5a4710a30ca124ef24daf2c2462a1da92
SHA196958e2fe60d71e08ea922dfd5e69a50e38cc5db
SHA2567114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7
SHA51243878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15
-
Filesize
81KB
MD549fc6f70034f9a5ded1b5d47cc4537cc
SHA12c945a97dd97902d1c06aea5abe2c90147fcafdc
SHA25682f8a27eb5cee06b6e3ffbc2408caba6d6df162e9c5a2683abe676a72afb0dc0
SHA5123dafa64cce9bb7d10851600b95f9adfc73a82ba29869635e6914f1e5a322be6aa5b17052bae167eebcf0db896a7b3e72f3a0a72cb21057f62f1b58be9bf78dd3
-
Filesize
81KB
MD572b5bb86355098046532612940c647e4
SHA105ba1b8ab762615080684b5e06bbb757a879a26a
SHA256ef45b53949e90ab0635702ff504c5d76e660dbb54e04a4b6c168ec2b264d59e7
SHA5129b82d53c1f91b778f7bb42606d8e702a9f24cfba88c8aff0b29ad7d2b6534ba2dd1648ef95b49b55188d0375e1c18e6540829865e6c91f3fcd9fb586344f3c25
-
Filesize
80KB
MD5fa573286885f53af87e845e09418232e
SHA15339fad225395c8c7b809bae640b0abb1e885636
SHA2562269297f98df7ca5f8f05fbec62ca8812565b2d8d3e452292ccedf69962c5bb3
SHA5129300dd5a14f2320e9c83aa4b54e2f8bc59fde2c9197c86bb5bf4fe9ed7e7e555b42c7877c04e89760979319e0be00b9d4d6ecb8cf28add0fdef3be9021cc9828
-
Filesize
81KB
MD59cd0bd098523009ffa6e743c3d4d096c
SHA1761c39637174d111c9869eb10b0aac956b2ab1d0
SHA256b3d7dd7398a076989b8cec962614d03ed6e0c59933dc3bf5029f47c2dcf1eda1
SHA512bccc234641eca2ddd632dab16b0b1d015b2fbf751945f834943247d8fb803912d85da6518268999f5f3437b8a3453cbc70ef67de6baf75ed08c876e8f1e7556b
-
Filesize
193KB
MD5f2f8ad2ade85050bba2019b94eb979c8
SHA146b82897eb1fde192006706aadc0fe0b10a64418
SHA2560611240aa280adc1f165bca5303123a420fbe94f373561627115e198197f279d
SHA512dd9f13a35bb26ecf0b76ebb9622d68bb74b3050eba46e913ac55209e5fcded093f444a1ff8c2c2f238e7372311fe3e6ae02e3e26e63a20b1b5257d7444e2b6d2
-
Filesize
119KB
MD5c779bbebcbb958e358adfeadce473301
SHA1996c426e398ea39914dd46c22f8209d7e2d70f84
SHA2565b4e4955dedb27a012089feb1434429eb28415f8796711963b07a27d6c20e4a5
SHA5122cb5b6aa0f278b2a045acb09c2ec36618173929d74081126017e30bbe550195b134fe22ce50f5ed7134b3e4c5637627d387b3f606295eebd5acf922f88ee4584
-
Filesize
122KB
MD5938c18dcdd52a1e55104e86c9b487545
SHA104945e6bddb8c5ceec69785515075688b27389ef
SHA25603685a0d88d4f5c2ae1c72490551fe8485e765642204e8411df3e1e3a6f84527
SHA5127740d51a8f7f410cd253dd7a66373842f701d72912b0d028381594365e382471e5380611a7555ae462241fc9f856c4ee8e8e39c863b8861a170fa0eb96f0c4fb
-
Filesize
193KB
MD5590bb5df1312d06756a5933a896e73aa
SHA170c89b913b95cb856dc81ce90f342018ba1aa46c
SHA256cb958abd7fd0908f2a5048569dcb5cadb4c76ff5bcba438dc2f20006da02f016
SHA512bb086ced52cadc7f516fb8056673bb3dbc49462a4d48b0d6e7449ad371e51572a9af969f6af612237b0a1eaf8f1cf67aca5c8c04357658716929e744bff9ac7f
-
Filesize
81KB
MD508f36fc37d973cb27bde6ec81a8f31e6
SHA1e0088abb115fc0f7adce24f092e792ed32301f84
SHA25613c7b1fbecf9f380b75ab20587985801d320c09c0d433e8929c5b45ae084ca60
SHA51244bd2e7c7b0f96e29897f547949104caaee33b65128bd81a16fbe0ad44b14f6d138ee5b98fa58066f6ea7d9cb73acdd472ff3630d64861a8491f34494e2656a4
-
Filesize
81KB
MD529e7d5c647679c44b3687eb8ba4260c0
SHA185a50f8d8686201810eb606f2b69a9e5cc8ffcc8
SHA256a91fdb4dc95aceaf352c0dfd1715ecc954d9febd050319a271d6f74fc428453a
SHA512e6a535f22b592839f40412fbca1a6ca0bb509ed54f894eecd636b0bcf4faf385552a6c486192618d91b7f2845599327ace2a78ea328093a988a35b158769320b
-
Filesize
119KB
MD57678e1bdebbfe570a977e6583281fc45
SHA1b31bbe042a78e33ce95fe6e8e3ef286ca0c63d33
SHA2567b5626c2468115aa91030869213a451f3e48ba245ef0db87ba960b316ef7834e
SHA512d73b1e59826f41ea9b37cbf97df14d296444009565f631c7651e41285976f2211f3bebf8c24e3fa0f02cb22d4da19c09028dc19b554dbb5f14df9ffd1a7bf115
-
Filesize
119KB
MD5269fbe90b20b54c0036aa9b12e32ec2f
SHA18d17a15e4890e4af07cbe967e654d06e376eee38
SHA256f4a2bb748d41009290de28e5851f9368d14ee656a0e5e2f9be8eb10af1255080
SHA512c276cea4b323cdff0157522689c7afbd2c1b1f2fb2e33cb5b599964b4e0a9b028fb0551db16ca556bb33bec65220f77e417da1f053dd4a270676eaa3e3b4ee7d
-
Filesize
264KB
MD5d38d8aef02dfad031ec8ff764499a872
SHA16f72d9e90d33cd9aa56a820c193ac35ab9803d37
SHA25663a84889d9e26d85ec6b372d96400e1b252f50adc4a6964d6590f401f53137b4
SHA5120817957037cdc1886ddea040ce9f421ae9fea0cbd029a779ebe48d0b089da143dbd7771bd74efd95df42fbfa1e54e7e4c8a45b83424d89d5534b545cbb142b84
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
209KB
MD588edb75197c8a8adcf1c7bccdef640a2
SHA1aeb8e3a52d458b3a20512d3d41a765f02ee1478a
SHA256ed9419ef42acb34ac9e194162b80e47b74c04223a3eeea307cfe83f8fb650eec
SHA51210acfa5327aebaa8e511d74124b66fbad22b788f18ca7ff0f67a76880030af05fd3fcfab4758030d954eb048cd5d15c163ab3dfa41d0be3f777caf789c9f76f1
-
Filesize
944B
MD5fcbfea2bed3d0d2533fe957f0f83e35c
SHA170ca46e89e31d8918c482848cd566090aaffd910
SHA256e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6
-
Filesize
1KB
MD5d16c6b205fcec5966397c1601413d280
SHA1d4aecbd5c36fa7dfae8816629c28132263692945
SHA2568a44a16b032c29bac260d1d4f82b5e498a66a83c309521e619d68faa1662f87a
SHA512f6cbd0dc68d6ff58b7f9be3d689cbef0eb4ace9eb8943781bc7697aba3e25870d9199cd175f8094bd691b9019f0930bd14fedc29da83e756e44fbfdb0ef8ac47
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
Filesize
40KB
MD548c00a7493b28139cbf197ccc8d1f9ed
SHA1a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830
-
Filesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
Filesize
60KB
MD5a334bbf5f5a19b3bdb5b7f1703363981
SHA16cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA5121fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46
-
Filesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
Filesize
60KB
MD54fbbaac42cf2ecb83543f262973d07c0
SHA1ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA2566550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA5124146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e
-
Filesize
36KB
MD5b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA2568414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA5122c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4
-
Filesize
60KB
MD59fafb9d0591f2be4c2a846f63d82d301
SHA11df97aa4f3722b6695eac457e207a76a6b7457be
SHA256e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a
-
Filesize
268KB
MD55c91bf20fe3594b81052d131db798575
SHA1eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6
-
Filesize
28KB
MD50cbf0f4c9e54d12d34cd1a772ba799e1
SHA140e55eb54394d17d2d11ca0089b84e97c19634a7
SHA2566b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5
-
Filesize
8KB
MD5466d35e6a22924dd846a043bc7dd94b8
SHA135e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA51223b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247
-
Filesize
2KB
MD5e4a499b9e1fe33991dbcfb4e926c8821
SHA1951d4750b05ea6a63951a7667566467d01cb2d42
SHA25649e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a
-
Filesize
28KB
MD5f1656b80eaae5e5201dcbfbcd3523691
SHA16f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA2563f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003
-
Filesize
13KB
MD57070b77ed401307d2e9a0f8eaaaa543b
SHA1975d161ded55a339f6d0156647806d817069124d
SHA256225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712
SHA5121c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552
-
Filesize
7KB
MD5b127d9187c6dbb1b948053c7c9a6811f
SHA1b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA51288e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476
-
Filesize
52KB
MD5316999655fef30c52c3854751c663996
SHA1a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA5125555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44
-
Filesize
76KB
MD5e7cd26405293ee866fefdd715fc8b5e5
SHA16326412d0ea86add8355c76f09dfc5e7942f9c11
SHA256647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255
SHA5121114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999
-
Filesize
552KB
MD5497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
Filesize
2KB
MD57210d5407a2d2f52e851604666403024
SHA1242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA5121755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68
-
Filesize
4KB
MD54be7661c89897eaa9b28dae290c3922f
SHA14c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA5122035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f
-
Filesize
29KB
MD5c3e8aeabd1b692a9a6c5246f8dcaa7c9
SHA14567ea5044a3cef9cb803210a70866d83535ed31
SHA25638ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e
SHA512f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e
-
Filesize
1.2MB
MD5ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
Filesize
11KB
MD580d09149ca264c93e7d810aac6411d1d
SHA196e8ddc1d257097991f9cc9aaf38c77add3d6118
SHA256382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42
SHA5128813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9
-
Filesize
2KB
MD50a250bb34cfa851e3dd1804251c93f25
SHA1c10e47a593c37dbb7226f65ad490ff65d9c73a34
SHA25685189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae
SHA5128e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795
-
Filesize
40KB
MD51587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
10KB
MD5c7d27043d5ed63cd4f8ec02ec77001fe
SHA15c4324fa2d482234b34c9705e7e108773d1eea5f
SHA256e458c5ae569e004fa5c7a691314942a9ab29ff240c5fdc04f41de90e76b33c62
SHA5124a69de7b7a0b1c9c1adfc48bbf58606082081344d5e339b9d9af4840ddc09004dbd68973e5009a1e964b16e2132f174b22b51e7e5807d71891c29c88cd1f7f4b
-
Filesize
6KB
MD56c9dc0fd80232bae32aaca4ec6f9423d
SHA1f03bdf6aefbbc1cba494be9d7345a2453a8b5fa6
SHA25604470af4983ba31b9a2c80f619b4fc386bef5ba85a9666d25891a8d677d7e367
SHA5122a3d58dae10122fa470fb772ea12b63bd14a427d68f7384c454f5d455585645f0b0fbba8ab6c47423f6498fa00f6a72b96fb3aa946d78d0bcfe921a2b68ef132
-
Filesize
6KB
MD570ae173c169f21088ac4229f02693034
SHA1ccf7911bbc5f78c1928fc4fddc1b5c8b58fd7fbc
SHA256edb16120e18f4f6ac9bfc7edff6deda4f15ccf8033a3aa0fb0e23262109588ab
SHA51213c6c37c062f22facee159d3137775df6597c0d7845480b85a4fe76852df2cddfd2661534065a9f673b327f488a5864e4f1f7f3f4721b281a0cd9cb52dde0b12
-
Filesize
6KB
MD59be4adadd8d3ed7240572abfc94604e4
SHA194ff2ebd2ac2dea470f42ca0e9a36c177218b462
SHA256feaa3f332237eb58d8932bd172bc11c9307d42fec0eda63761f43f0011c9314a
SHA5128411c548e9c7e1b11508569366ee8f022df59db51eaef632a8449d06be750304ae59d039e42f3d2d5e5c1146768b058b64d560ce99839dbe58900898a750252a
-
Filesize
6KB
MD5269099afc057c8b969e615fb3d5a22a5
SHA1c1f66c387c4898c3f98be602e91ae015dfad08de
SHA256dce1b339c731ccefbcb5a4ac79352822c017f7537e7ce4c015032178f7277310
SHA512b35e0c6a51f9aed6273eb108f00a9ed624de42948307ea7f472a6eec915e1a267117f3fa6e4f4b82a7ae0fbf733fa5ec65729bf1752e50f9fb263ab2f36c5de7
-
Filesize
6KB
MD5941f40eed5521363d18b82a9965d2bd3
SHA115d4e6b240a53817328e34616b8677f7c9421e51
SHA256dcca4b5fdaaf5ab7bec3d2ba3d7245294a59d13a96e06d93703c738e6cca25bb
SHA512367aa19c9ec6e5028ea0a062b588cb0b78158c923c748de485d2605c85210b798554c35ac953ffd134958f71f3029e2f277eadce8c0c536abcf8a65b881a3fb1
-
Filesize
6KB
MD5998a0090c29163952b504aaaeb569f50
SHA1567295280483403af564a1bcfb5392e8f4ca5361
SHA2565adcbd385f3ba7fe41c7f823a40117f64fe2fb6a82d031f6894cf7325a0c3568
SHA5124c6c8391f55ec26950bbe29acae710222a5595402a93fcf03e39e0fcaf1dc0370c7fef23ce40b94be7eabdcaa057cea496a8d63bc73c6b6617ef7fc2f983a53d
-
Filesize
6KB
MD5bdf3b6f0f746428b07fc481a020570e6
SHA16e3b4c899c2b48a7c54ebb2679ed808c60c9190b
SHA256429cca10ddc28f77a0980a23d423dfe316659772b17f7f1f9f972a63e2a2bfd2
SHA512f38f95b646dee5b4a6bf24a7c61aee42d46be608f55a5e93c7d5ecd7f6a8baa2f1a1f795d04dbb5d2551ceec6ae7dd7b130b71feaf3335406f289c9136db74f4
-
Filesize
6KB
MD5554d962aa4ef3058f14b72a63986b5af
SHA12044ff723288a89f199d7d818c463c7e3fa54a3c
SHA256ba72fd353063bed689cd1582a9c897b0cd045c5a1b17e835c86d2524691af462
SHA51259ef82a656fea5e8265b2d16bd80e53d5a2b64cafcfb2f757e42a98df03cdc62a36cc429392d355634c0a8c01ed07f9cf3daad946a71d681681c1ba842e915df
-
Filesize
6KB
MD5f677fd3cabc3bf5d12427a3691528a40
SHA1eefe7caa8c838f1c99e99caceaa4e9de441107f5
SHA256c0bd125d979969220eeb5275586a5e568618e64c35dd5515a61a396ef2611db0
SHA51268980b3238b6b50585ebb852475f353d8f7bf5d0fb1b2c7df98c0d9c805e9ab4ababc6b9be472ff6b55639320deab28db416bd1df8df8e5bb236dd74208ae268
-
Filesize
6KB
MD5597c03ec352d494ef0b83719a3bb2322
SHA134a9ecf09475602ffd5592bbba6b1f1a3c0f4bcd
SHA256168454229738f85e68916d5353ac5c99894e81ff0d2d8360dc91d43bc6979a51
SHA512d3965a75d43e5e4942e5dad21ea61c26dafb907724bd90431036252c5d0a6329aa49cbd66503f65775c72a0a6c7c7c1b7cf14bbc737685ceff90984d085a9cdb
-
Filesize
6KB
MD5b3a2e1841b65c4d34c96bbe0ea515fcf
SHA195a2bf7597f454343c4b7dd077dbc81c4b099d5a
SHA25608eda53052185736dcf2c78947f23aa3d1358a39a61fd6036a844b2d33a32e92
SHA512a3581e4fc43ee77c7e81c4fa85deae97b44f9689d4eaaa653135691dace1007dbc8005416166175673a1d16c8aa193c35933fb883a2ab265fcc520e0a2f9758c
-
Filesize
6KB
MD571b941cb0dfefb11fd9a560e30388949
SHA1d09eccd13f5e6790e5681a60539704736bdfde09
SHA256276bf7d4ac8dab60a3e9bfde958da99796da33f5ff73bfb533e4f27029cf2c96
SHA5121ab7a12fbcb67703f86529e0568e67cb902c4a9ba9b81d75064b26d5e3f4e30eeddb6342d9d8fbcdb00234631ba111c1d32397b58f32660e33509dc01970f483
-
Filesize
6KB
MD524b1620a1e2cff5028bc6c2306500911
SHA1bc67191a5d95cf05cb00ca05aa0116720ce47942
SHA2568b33d7ed12ef2682b4352d9502379ec6a5100c56f8ad542c9163cf0ad98af067
SHA5120289654f5a82df68cc600130ec3c59778f3e9a1c7d0684134093a5358aa3ef94cf0794d355e74d499350a7f77665c6d05b0471d76f785169ca9d6e8b092aaaa4
-
Filesize
6KB
MD53863980ca903fcf340d0e50d6166f783
SHA1bd31b8fac20450e423f2b010f918eaf7aef56099
SHA256295ceefa7b1935877ecf1e701d10b82ea08c04aa2806ea81408517a0bcb45a9e
SHA512f27f8df809f430a22fa595560fb65999fc09e331ba48632d57ad66ddc2281b8ccf305fbb9f4f22b7a7706a03d0b3d4badf677b2ac5538b22819aaea3a04dd8a2
-
Filesize
6KB
MD568bbb2e3bd11d86d4cf16dbe5cd723db
SHA12e6930971702f38b55fabc06137c1f5301397e76
SHA256623e601a083d032556d298f9c548550750a6fd414f1995a33a150a196edead95
SHA5120ba14c2424782eb17da5d422dc39927294f26e8f35742fa4f79a4e21244cbd951b14053c253e25458e28fabaa55964b5f637543b563a70feaf9a501f2f2cf78d
-
Filesize
6KB
MD5c27a5be2d2e144b1b96fd003149aef07
SHA101bbcb1bb5a39ddd7401b11b58d517488f41ee39
SHA2567917969d66b7192b580f6e686ccb6ca2a1477b3bff1ee70bae7ee825691a5a5d
SHA512b80c62199c809e1b7ceb5e90c542439456a397fe0693911724e0102d8795a20ef31048dad11633a4dcdf949ac8da407a31c16a8ae42bd9b2131ded232925fcb5
-
Filesize
6KB
MD5c0870e5a8b82516c986ca8ec5e4a4e7e
SHA1cdbf9b4309b7d8da849c72d72345ecc716f7d157
SHA256347f63210c842ff496b379e845679f37e7e2878b0b617981fd237c93d9e17e68
SHA51231a4c4ec60d0232af72b75d2cf9eee7f41a8b965b362d72f5b31688cf1207f4c124f7fb1ad35cc9b1f60615c198f67fdfa56c024bb911d11b217742fb21c7da3
-
Filesize
6KB
MD5349abe9c5c01b468efffdf8d298fa24e
SHA115536d005d75a37e9869ac9eb81d5d2a4da7d114
SHA256269358d9f421477d8a27765b6bf6e05e83f9c35550a694250e91a94fc68d4990
SHA51202e038d6e898ddb9549c79f3fdcb1b254b7006e168f8827dc12dd9f89f238aa9bb95561199e64f6ea1c63eaa9680397fc9b39d087e51b8f80752a7d595879696
-
Filesize
6KB
MD5d0c9a218c02b84c9ce8ab4aee68c8ce1
SHA1af43801b637fd0ff0bde41e61132a4092637daad
SHA25670d680823f74aa376d8dba1ff264d9eb75a08a2ecdce132870f24c3750cba9de
SHA5128d5f1a36d189fb79943c69955dfcb2cad185651d48dc9aa12144b2abf3e8ebc1296173a44152fedc53f5e6227c68530fdd07e7128395de9ccd2aff18aa8a9d49
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
10.7MB
MD5dd1930d36e194498330396167f24b7d2
SHA112d8b6ce70ad0fb962d02b9af1289567cc22a07b
SHA25653a3312b91e307972c1bf848eff6d9bc9d3e638d93222515d1fb6f532dbdc155
SHA512baea58ccf0491dc399a8bb97b41be915890fa1cb08c5f7a233e81b13af821ef31e2c210f71035914e3cda63095446bfc00f29ee29a5c135f90927fb3732dadcb
-
Filesize
1.0MB
MD5b9afb41004774a0b38f49f66f8635dc9
SHA13f9688be6a98c1488dedbe25422c848ab6f67740
SHA256ac75b165e9a455c1cea8d644c3da7e12b18ae3f16362af8e40e0b7a9dc6d296c
SHA5124c8dadb3cad4a32db7713d88a4810794ca2421d930476b35d8d2378d8263a21a79317c31ca16d38973e56278825bc123c0c010669fc72ff6bf66bee287b366a7
-
Filesize
8KB
MD588703d13bb9642ab78db29456886b9ef
SHA1dba767134f04268695ff5eaf8257b40de84dffdc
SHA25634d25a78336aac80df8980f2f200e6ede9e40382378d4def988424fda1792d69
SHA512bb707581aca6f16c5d52f79dff14a50a571758667991155bcbaa45a7d5e861cc04c31fd81e086aefa69e35a41e95277cebca0d802d82f1f8c6539d0ab0f329d6
-
Filesize
14KB
MD5af6fe2dd3dd1ff11028d4a8c36a22e59
SHA1dde97e7baee5c50e8cc86310e0a3b122a105fdc6
SHA2566fccd62c53026fb766015295f1950104581b19361d1c9cdeda959e52e7ef68f0
SHA51213bd39bd3adbaf42f49dc5b254bf6158347dd712e3dedee7aa8868d49d88ba709e7195b6b35ee9f8356615c18d1c65ba1b58474a7ef3c2ecaad0c944fb66e135
-
Filesize
3KB
MD502afeb04c46e65ad7e1378bfb38eb73b
SHA166dee4eb4ada04dbf1b02c05804bcc3b76248484
SHA2564b1c5a997745eb8cfa99c6eb84309c115ba16493c840391593714381444687d6
SHA512fae8bc6e68ba4b74a4db0f9c7fc2191b2c80b1156cdaa4529634b4b37de8e65a712e5cfc38d94acc04e730dbcf442ac46ab8cb926dabeeb49f732c7e86f32f7f
-
Filesize
287B
MD5c5b4aee562ec073b776bfa1efb37a5a7
SHA1aca25f42b3c3e88c0ecce0b2099e33356e911846
SHA2565d09c4cb301f2bf4a7df0b11ec854252eb472d8fe959168ffcd1d61a4fcc75b9
SHA512931e68d211bdb43ec960438fb73adbda15d13435598ec10df93c48f36bda6abecb332946b58c35cc129a8fd41f9198d8acd7942b2097590148b1576662dfd1d5
-
Filesize
18KB
MD5d5d20577ec4e55d3521eabc61eec38a3
SHA1036b35435ea5b8c73a3d302de3a5d920dbc82eee
SHA2561fcc7992f71b8bdc41cc31eb26a4b697a1f2bfdcc2ab01fdc11c2ef734e85d0e
SHA512568c58eecb15d50af32e61361c58be3301c4eef67dd705658ab95eac62298f61679c106d7b928f3c44ed548f44fd32fbaef4c8911166d6e77ea6bf3e34ef5102
-
Filesize
6KB
MD52d78fa4d4f80768e5c11c9d4bfa9f150
SHA15c2f9a3652e2af17777450fc0ad3a52023dcf34c
SHA25641479bb4329d7210215c9efd92a152f7974e0f16d3a0bf39bff2a517fff27cb9
SHA512810fd6b913278049dedf0b097f65fd6ec937acb997f861e1efde1eade5ae225202824e5e1e41d97c93944f7b70e514fa4939eef45c609ed7d49a81fd5d64772c
-
Filesize
71KB
MD5cfa188442e3852b7569daf83d8f6d94c
SHA12d46033d23cb61f63a9a9769fcb1837c2a97849c
SHA256fe37d1ffcde030141e084a28aba766d0555d47665127c41a8af2038db2168591
SHA512e813e55ca5ff28126dfd32789c839799b72db3fc49ff8be4d63bb3e37392608b3040f49c0f9255a39d12e7ae69f88623b7cf6b80e744521f131342e17be66317
-
Filesize
82B
MD544008afe822922f45241a6ffdd6413f9
SHA1a729a3312779496d1ab17383eeaa19399d1a8b97
SHA2565b10187ecbc0f28836052981afcf92153f81ae911e1a7ff8db1d269140b6bc77
SHA5128cb708b4d144f538d3c209b377ff8eb51acbbcb71f2f7e7fc7579cff583d4df0dc952c7868058afba4ac3ffe6d01d0e7b2a63956aa4dde88ec45d8800b780920
-
Filesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
Filesize
104KB
MD5a5c7fa362368143d27480d388a98eec3
SHA1f9e0b19f593684767c6b5d3980cf51bce494a681
SHA256fcda277d87e19bf2aa95b40eb3121aae070de821341c89781f53c38139275145
SHA5126ee6365bed3ad24d4bae8478f07a96fef7a52ba2d3e50212add1f66d625f1992754610c5f214e802db7deb38bc72634747fe3fd114b561742a05ac48455e1c46
-
Filesize
168KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
136KB
-
Filesize
496KB
-
Filesize
304KB
-
Filesize
176KB
-
Filesize
56KB