Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
Resource
win10v2004-20241007-en
General
-
Target
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
-
Size
574KB
-
MD5
e39790d2164de5008c336fed365a3510
-
SHA1
eeeb523b1c7e956312e07cdf1456e021978a6b9e
-
SHA256
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03
-
SHA512
0a8ee2ec841ee3898899c8f41bc427aa4b6e674931ca4ee7a544be4c180fb1974df3acdfdb9e48336619086e2e7d2d778603d37b7b06fe7cec8501ba76906c27
-
SSDEEP
12288:/pW2IoioS6p8IReqYIiYkYAY6YLYr5bVY4:/qon8
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 2180 icacls.exe 1580 takeown.exe 1340 icacls.exe 3452 takeown.exe 2880 takeown.exe 2672 icacls.exe 3228 takeown.exe 3644 icacls.exe 2380 takeown.exe 1744 takeown.exe 1556 takeown.exe 3588 takeown.exe 2736 takeown.exe 964 takeown.exe 820 icacls.exe 2752 takeown.exe 4004 takeown.exe 3060 icacls.exe 1260 takeown.exe 584 takeown.exe 3132 icacls.exe 3620 takeown.exe 3972 icacls.exe 1672 takeown.exe 2692 takeown.exe 1940 icacls.exe 3892 icacls.exe 2308 icacls.exe 2124 takeown.exe 1860 icacls.exe 1904 takeown.exe 2576 icacls.exe 2852 takeown.exe 2296 icacls.exe 3084 takeown.exe 1900 takeown.exe 2948 takeown.exe 3076 icacls.exe 4060 takeown.exe 1096 takeown.exe 1996 takeown.exe 3812 icacls.exe 1396 icacls.exe 2808 icacls.exe 2476 takeown.exe 1068 takeown.exe 3108 takeown.exe 3500 takeown.exe 1132 takeown.exe 1152 icacls.exe 2756 icacls.exe 2436 takeown.exe 2728 takeown.exe 3420 takeown.exe 2584 takeown.exe 3388 icacls.exe 2816 icacls.exe 3252 takeown.exe 3276 icacls.exe 3780 takeown.exe 3796 takeown.exe 3148 icacls.exe 2372 icacls.exe 2408 icacls.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1956 icacls.exe 2736 takeown.exe 2668 takeown.exe 3124 takeown.exe 1688 takeown.exe 1444 takeown.exe 3668 takeown.exe 1068 takeown.exe 3516 takeown.exe 3620 takeown.exe 1396 icacls.exe 3732 takeown.exe 2372 icacls.exe 1580 takeown.exe 3436 takeown.exe 3972 icacls.exe 264 icacls.exe 964 takeown.exe 1040 takeown.exe 2008 takeown.exe 3268 takeown.exe 3444 icacls.exe 1764 icacls.exe 1156 takeown.exe 2348 icacls.exe 2252 icacls.exe 2728 takeown.exe 3364 icacls.exe 3556 takeown.exe 3580 icacls.exe 1884 takeown.exe 3148 icacls.exe 4068 icacls.exe 2460 icacls.exe 1736 icacls.exe 2596 takeown.exe 4004 takeown.exe 1020 icacls.exe 2156 icacls.exe 2852 takeown.exe 3508 icacls.exe 1012 icacls.exe 3108 takeown.exe 3524 icacls.exe 3644 icacls.exe 2312 takeown.exe 3564 icacls.exe 2652 takeown.exe 2884 takeown.exe 3156 takeown.exe 3588 takeown.exe 3780 takeown.exe 2732 icacls.exe 1940 icacls.exe 1996 takeown.exe 2908 icacls.exe 2816 icacls.exe 1008 takeown.exe 3260 icacls.exe 3396 takeown.exe 3852 icacls.exe 3940 icacls.exe 2308 icacls.exe 2912 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription ioc process File created C:\Windows\System32\TieringEngineService.exe 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe File opened for modification C:\Windows\System32\TieringEngineService.exe 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe VBSSF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe HTMWF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe RTFDF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe CMDSF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exepid process 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exepid process 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Token: SeTakeOwnershipPrivilege 2036 takeown.exe Token: SeTakeOwnershipPrivilege 1904 takeown.exe Token: SeTakeOwnershipPrivilege 2380 takeown.exe Token: SeTakeOwnershipPrivilege 1232 takeown.exe Token: SeTakeOwnershipPrivilege 2812 takeown.exe Token: SeTakeOwnershipPrivilege 1728 takeown.exe Token: SeTakeOwnershipPrivilege 2220 takeown.exe Token: SeTakeOwnershipPrivilege 2736 takeown.exe Token: SeTakeOwnershipPrivilege 1688 takeown.exe Token: SeTakeOwnershipPrivilege 2548 takeown.exe Token: SeTakeOwnershipPrivilege 2616 takeown.exe Token: SeTakeOwnershipPrivilege 1672 takeown.exe Token: SeTakeOwnershipPrivilege 2652 takeown.exe Token: SeTakeOwnershipPrivilege 2152 takeown.exe Token: SeTakeOwnershipPrivilege 3008 takeown.exe Token: SeTakeOwnershipPrivilege 1132 takeown.exe Token: SeTakeOwnershipPrivilege 2880 takeown.exe Token: SeTakeOwnershipPrivilege 1884 takeown.exe Token: SeTakeOwnershipPrivilege 2068 takeown.exe Token: SeTakeOwnershipPrivilege 1900 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription pid process target process PID 2568 wrote to memory of 2076 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 2568 wrote to memory of 2076 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 2568 wrote to memory of 2076 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 2568 wrote to memory of 2088 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 2568 wrote to memory of 2088 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 2568 wrote to memory of 2088 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 2568 wrote to memory of 2036 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2036 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2036 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2156 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2156 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2156 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1132 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1132 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1132 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 3052 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 3052 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 3052 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1672 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1672 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1672 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 556 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 556 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 556 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2152 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2152 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2152 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2308 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2308 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2308 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1728 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1728 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1728 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2200 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2200 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2200 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1904 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1904 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1904 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1908 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1908 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1908 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1884 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1884 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1884 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 3060 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 3060 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 3060 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1900 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1900 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1900 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1740 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1740 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1740 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 2068 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2068 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2068 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1852 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1852 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1852 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 2568 wrote to memory of 1688 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1688 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 1688 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 2568 wrote to memory of 2064 2568 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:2076 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:2088 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2156 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1132 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3052
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\hh.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:556
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2308 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2200
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\write.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1908
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3060 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1740
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1852
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2064
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2352
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1956 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:936
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1012 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2796
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2992
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2808 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1724
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2672 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:2584 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2540
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2696
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2576 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:1444 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2372 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:1568
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1720
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2820
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1060
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:2124 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2756 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:2476 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1764 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:1156 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1992
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2184
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2972
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2924
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1508
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2688
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2348 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2228
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:448
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:1008 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2408 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2968
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:264 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2176
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2224
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:964 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1736 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:1752
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1152 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:1260 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2964
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:1452
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:552
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:1744 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1340 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:1944
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1020 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2644
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2848
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:2436 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2180 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2320
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:820 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:1556 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1484
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2284
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3000
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:1040 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2104
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:2692 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2664
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2656
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2732 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2852 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1940 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:2752 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1952
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:1848
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1912
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:2668 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1860 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:2312 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2236
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1996 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2164
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1580 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2252 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2368
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2912 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2580
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2564
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:1096 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2908 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2544
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2440
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:1680
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:692
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:636
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2432
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:888
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:408
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:2884 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2816 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:584 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2296 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:2948 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:824
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2916
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2984
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:2008 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2764
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2728 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1276
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2708
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2112
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2684
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1560
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:2596 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1652
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:2012
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1800
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:1140
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2460 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1068 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3076 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:3084 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3092
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3108 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3116
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3124 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3132 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3140
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3148 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3156 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3220
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:3228 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3236
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:3252 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3260 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3268 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3276 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3284
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3316
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3332
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3340
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3356
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3364 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3380
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3388 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3396 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3404
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:3420 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3428
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3436 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3444 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:3452 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3476
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3484
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3492
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:3500 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3508 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3516 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3524 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3540
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3548
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3556 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3564 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3572
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3580 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3588 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3604
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3620 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3644 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3668 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3676
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3684
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3692
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3700
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3708
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3716
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3724
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Modifies file permissions
PID:3732 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3748
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3764
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3772
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3780 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3788
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:3796 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3812 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3820
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3828
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3844
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3852 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3860
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3868
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3876
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3892 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3908
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3916
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3932
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3940 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3948
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3956
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3964
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3972 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:3988
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3996
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4004 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4012
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:4028
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4036
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵PID:4044
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4052
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"2⤵
- Possible privilege escalation attempt
PID:4060 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4068
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
574KB
MD589dbd5177de5f57956377c7a1cf346c6
SHA182abadfb531e7ec094be889053762991e958e151
SHA25655baf2c943a2becf9086a7f6f3e2d48d101e7e64d55d77ddc2802a6b2492409c
SHA512e4020fa9d145688732118e38f5fad8509963689233b4212a8c046925e12fdbb78dc6373160e896a5b4e3ace19fa56494434dca5cdb984d0e9b616bb2e2b470e7
-
Filesize
574KB
MD52b1dae2e9f4627aa4ca5dd895c0296b4
SHA15238d0ad96fed9db3e9933766474f1f6f792a2cf
SHA2564fa00daec622ddf78c8ee7a4e41a58ba8cdfd12f3c116d4182829ac451d586db
SHA5123b9b671a5c424ac096c32775008c67673b47046cf6c044bd191f1686fdf9c80cb28824e5f1d9c30d6251bd3ff00ab4c91d2368acd413747153bd4490beded87b
-
Filesize
574KB
MD59e145b8093a9d5df66f96aa062c5b68f
SHA12f04d282eaf6d69de85c3290626dddb874d03b63
SHA256aed1bd140f8a544026f644ad530314166cbec7ceba05c7e911deadb63b1791b1
SHA512c64f8f2ea2a494620260f45326da329368d58096084ca89f2fb3421b585f779893515af67e9a47109d0ff45bbcc29c0dbcdfdd8be6313fab0e3fedb0b2f4ea8b
-
Filesize
448KB
MD589924677e9bfd8083448419a882950c6
SHA183a560187d24457003403a70b133906dd2169cd4
SHA2567c41eabecc24e523c471266cdb14a96631f0e1836a53f29e5b59d9a4b7a0e3b9
SHA51284b68a9ba11a6b39fff6d654f09e17ff72f7115605863475880ffd777aceacb2149c2f9b0254b14f2450c837ad33513d91106663def4990acee314691be9b5c9
-
Filesize
64KB
MD583cba40e6aea8cb582a53c8b772a0413
SHA1da36f9bd8290c62c4e0dcc5d503d74618759979f
SHA256f485d1c36ef4591406816740d211d5297bb569ce597b085419364cf469bf57de
SHA512bee5e7340563b3e8f8954fbe4ac95b082e72a83ddbda0b42e2ea0cf0092979105da24c04ae79f283abba5cc0b39aa6d47b31431aff3ac3c869509cfc1d9dbd00
-
Filesize
574KB
MD5824a1047bb3cc8d36b0f22f0aa263dfd
SHA1a86b45ed5f6e2fa5e133e987c860b9caeda48ac7
SHA256e38dcc749136d8614bcdf5bd50d56da1d53843a5ef0eb3b5ed48f46829640dce
SHA5129c5271dc417c905a3c1f3f527f8d3b03c0f1c24ee801edab3aca527efa7e7d2d3dea16ee67270e31ceaf9c1937f05af7fbcd5d4dadfb6530985fb363bed10e39
-
Filesize
574KB
MD53e0d5283b3adb0c1d6318403a0036932
SHA1fa9879dacdb4ff295692634dcad27aad17f047ed
SHA256e6f72bfd0e386dc2234744066419f0929f34af19c192f2871a3c08f31f2b3b80
SHA512e8782073cd5d2b14a1241131688c10cdeef7e667280bc927b93b29705a06896301fc25f9729d5547816d278743093aab7964e6cd631bd6bcb0646e0bf222249a
-
Filesize
574KB
MD54915836e64664f41ea434033645a1285
SHA13448278b03c5e85baefc9052d7d84263d8269998
SHA25670c5eea280af6f14627210eb1f275397ba30e3545ab10e2dba468cfd49835c3a
SHA512cdcebbb1e3e9a95ef5aaaf0b8417a84de3d000c3bbf57da18d659082a7cbcc74af638f13a3fda1f76b99bb6d0b7697f1d4ecb607426e9c1d37699ae469413d82
-
Filesize
574KB
MD5008f7f3900246efffd5e0f23d993f6a4
SHA138dd68944115d2dd3b53bf32c6ea36bed1a7719d
SHA2569a1eb3e97e143d9f4191e4944573840bcb436374f44c12f0979ca8e332253903
SHA51244d3ffbd0f448579bfd8acaca199fa2f1171aa707c108d3a9c17c1c2e02c84e2fe9a6cd38738fcc24ced47d8669e82def987d43a45875fbccca2e26d69809222
-
Filesize
574KB
MD5bb8eb6f1435678e44038a171a6776625
SHA16649e5dcb6ef1aa02079c21003b3dde5b4ccc5ed
SHA25678e37c942128bceb8a9dcd0d2bed31ae6e483bc87d138c02f4af9d9e5a9c67dc
SHA51271ed9ab55e911af2a6249fd24d114e818509e2db065242dd7656a7355949962b533d599944f0fcf78b403571362ebe07233be107e74f5317be917d462bbe28c5
-
Filesize
574KB
MD55373b27c1706d6b6458665a36462edc3
SHA1f9409e9f008d02d9f80da685c8b813c54b7b2d9c
SHA256aff33c9bb7595417469a54eef58701793e9fb7cc6add5339201be9c4d5ee4289
SHA5129e88656a8aee32e030c3ee58d7bde94b6c1a78c92d8192f98ba3e247df4bf943589258a9665b5d027a8feed03b5a8e4cd651c39a8d47679f623d4541834b9c93
-
Filesize
574KB
MD54740dce00286267db0f16facc68c9dd7
SHA10399822590a0dcb50c22c467615cbf3906ad8ab6
SHA256af82642b7c381442ff8950490252f4e73a0c56e490623d09534bd9c5f84010f4
SHA51225c48e72625f2e85f706ff5513d06cfd2eb9e20723410f404a8211b1390ef5316969c77d703c89ec4009bcec8172562cd4b6c89b5ee1c34d70d3f7a29d3b3925
-
Filesize
575KB
MD5a0158965387fa006365a79b35d3c9fbe
SHA14bbc3a0d155c4cfd21fcc84cb99dcee16138c213
SHA256d078c0850d633b323d7048877c90b1282d2f103e43c910ceb167e0b4318fda15
SHA51254e648ca83076505cf935129c67a955f60310a07203df6c1d421a49e167ffab1a29b69067090a9c2818f071e0495fc1ec2aad1e9c3451061824dc9282c2107d8
-
Filesize
575KB
MD5b3ad3ab94de087c39996e02a7dc917da
SHA1d0074e080bccbc09d4610ca9f85c02cd9336aee9
SHA25675ca07c2e03b7438d20e8146a5c21bf6fbb3ca36451e1be3b48795cda97af8c9
SHA5126fcbc3842e249a818b5de14376f03454459f07814f095984583963bbc25a142916dc8e22dffeb81fa830d1076dd95a184f1b63698e3f48cdea5aac72ddcd90f9
-
Filesize
575KB
MD5c4a7867c7acc4e9a9f31c5344056084a
SHA1f44161dec5c78fea0038c1387da545034de79157
SHA25663e23b5b15e1c12ff8ea9915b8c7331d0b7cd1963998e1e1b6010e162e08c17f
SHA51282d3fe8c87b19220925b779414c9eabef15e0eb9d47fcfb096d346db1a39e2f3f0a87a5555fbb862e811d8da6d2d82499686ca75ce7eca9db407dbf6af8ccd00
-
Filesize
575KB
MD5b0f7d5cb00353a0e2102795faa73b2a8
SHA13c38ef955283a5e94606308d30551ec16bdc6e65
SHA25676d757b592996dd4d071fdde84b5b77a3d83ed8bd01d9f693dc9644fe1deeb6b
SHA512cff28268cc55a4e6cea2f40204c3d78c9793d0d4c56c12a380b84b6341da6127b3ad0626c0d6ada7c2287babdac2c71b8fbfa736eaf6ed7fe19d78e17ac91bce
-
Filesize
575KB
MD508377a1a576465cc24aded9f3df51617
SHA11eb24e408b9719301888bce65d57cc5d28311c97
SHA256487017813d99667ab25e3389ea682c2ce754ae7add584f5eca415054d162dd0e
SHA51254103dcb1d5c471677bf0e5561f7ede201b807ee60c2ffbbc78efca2790bfe8ec5464aa5d3b623cdc75dfe930b8105f177615928e62bb7e125cb518b302f0b5a
-
Filesize
575KB
MD5a81c156cccffacc403f40990d9c5fc27
SHA192476a1f288447b87bc3332cb19a9b271ebb3206
SHA256bf239381c9df24bcf2adf1d8d294a2716c086661628157df2cd3d4e00e7ed229
SHA512f7080e7a3c177f71e46fbc75e52b64ec5674232d31c6b18e67d766670a932f14c6e5640aa82d8063f836c1c709a683b9ccfcf8e0669b874a0caa25910e501927
-
Filesize
575KB
MD5d1e311798b66e3a6cd6a0da5c04c64b1
SHA14000c0aa1c84ae3d2036c01da270ff2071ccc377
SHA25683cafcf5e9c5046df5f61226d5de33a62c48a92590a4519ad84f8bd461d5c987
SHA512cbc5c9559bb84783a3643bfc6a55b624619b3fdfa55fca21ad022d428611898b730731cacfe98dead8a95c2a3fd32bb4001042ea56503ef79a9ce8f49fd79a4c
-
Filesize
575KB
MD5b802052d3a1f9ae722fcf56495a67063
SHA10a37ffeecd71fb66f98ffc67b57e4ba7ce65989b
SHA256e3fc66ffb4b48cff8468bc7d7e872585b3cec2096bdfee079ac5cc8a1f5108ff
SHA5125d8884d40488c6ac264134e9fffdf03b0ba89649b0559ae4311b751ef949ae47429fc6f1e77cad45789b58113366fd817a84d870100574fee25bbce311dd7703
-
Filesize
575KB
MD590f896cb9f2d85e3a3c49aac356565bd
SHA179a82eefaf498ca29f09ae4ba28d5afa0861b07f
SHA25607059e992766b8adfc3db1a198d5d44fed27882ce62b289150790785e10c34f2
SHA512c8fb34d9cf88c704f33cfc059fb5684f33fa72facbfced50eb632c032f99f7a1eb163c5fd447ca9f86639e42c0948a1ce51f067548091d6a48256eedb0851bff
-
Filesize
575KB
MD5e57e4ed632934f604822d873626f56a6
SHA1e3740eabd1d4e3e508ac9039a4b70b37e6f6cd2c
SHA256850c0a54ddd456f02e9e084f3f4b1d6c69e7ac4e9faf866bb19d8085d91a21b6
SHA5129558e3e46d52d075be889e3d32006df80b515537d8ff4f64c000092d2fa1b16a38a42966795e4015f71f7f7a7315cabdcb7b807a848f31c24c953b43bcb708cf
-
Filesize
575KB
MD520e81ddb55c88d6b062f169119fd0362
SHA17eb0e23e6b335838e94ad4d87bd9415010188892
SHA256354e23c57f7f07ea5691a51f3e9439dc94b7af4baefbad4f5e8ed7e442b867f5
SHA5125c474d2fd8bb49e9603f1121e85b60fe3827646b467b2b4e50c3d657992c2069fa259afa3c0ca91b8ca946c23c760a987a66e06c545557b5b3dc20ee135d6f71
-
Filesize
575KB
MD57b35ee723e6a03f23196cd8eb91ccbc3
SHA15d2cccbd1839d7086c72805dcd688dc61cabc6cc
SHA2565a138c6121b9d2b4a53e0820364d00c90c859c287409105b8236a24e03451d35
SHA512959c9172e1c0f3971a690b592225844eab73e11577b3b7a2a5006ea832db291b7ebc9c5aa9ee4571f6b8948573fc25dd8112a4b98a0fbb33ac6bfcf050e83e44
-
Filesize
575KB
MD539b56cd7d56251609dccc61f9ef60f00
SHA1ea570801730f2e2f355a0e379ff353ab62f215c5
SHA2562c10cef828ebfa34023e9059ff9920e19743048059fbc0a582e661caecf66472
SHA5129350597eb6e8671275492085c121f626cc4987f7b5121d5566821b6d5e15ba38efe82f7e78df1a68fa8ba3c6b4c5fab36fff9ab8ec79eff34dd002360d8d734f
-
Filesize
575KB
MD542cd037fa12ba9beaf9a9be16a913cce
SHA1bd2422305bf3c3c163edd63599c3f45e7f89d1ff
SHA2562d1ebf4accea11cf1d4770fd8c8d637688a56dd302b5a16ea0eab3367cfa84ab
SHA512d0b9bd59c5eabb3d17b51c42645591eb97bb3dc7e57c4b756fde11cc4721670238e927ea09c1f9fa87e92550d7087be618312df076a3bf445c261ba673916fb0
-
Filesize
575KB
MD5dee06265aa651638d1dd0d359a9f9607
SHA106abc02eb62644208604e94bf554758c47358f5e
SHA25620534b084080c2a5da30a7a8008fccbdbef741e5987554442636a462f0075759
SHA5123765818cf5a92ecd847c7a14065a19372ccf4f00ca14ea29a2cb06d5c8d3d3a618085d917252286d8bc168f780045f2834f842c1bfa5a732d5b854b71f052783
-
Filesize
575KB
MD5a18ef252390c4897e4bc80e034d152c5
SHA1545ee51437f31a0b8b822865f2d1e993f0866508
SHA2561ffd1a9f0831c91ec5c5e375cb999b4f055e68cf6e909ecd5a698931503eb4e6
SHA5126fc850b909c56f382efbd6fb0d212822a360c9ac233eb18ff56f7ddf8e37e8a7a29f8a3ec2b7c3626ad8edc62de2f106bb2d40a25bcd282c8e1acedbb4e24cd6
-
Filesize
575KB
MD50c7a2b30576b15f7ec9e2b2ddf7f2416
SHA14020ba4ee558ff5d4c2be4923ccd68b5ed5915a7
SHA2561f822e4458b73c29ce5864c70e1d742e827243dce65badbcda23f8fd456e7792
SHA512639af410739b8fb8ccd0638a0661c87304299783dee32fdf13eb77b1eb1ca96c57a5320879b22676da78087c45ef4b75bb7367529e98d10ab4698232466f7113
-
Filesize
575KB
MD591a9ef6b5f9ed177d6f053f4a3779926
SHA1fa9bf9cbb3e5d003feeef610628e678369198dc1
SHA2562ffb0b22398eaa8965e98ec105a6a641e13403251dc09d06e456e17358b930b8
SHA512c95f1945d259673a9782fead662f95dce54d4607c833363e53b5a0bbd5ca5937bc4166502f5578d4cc7746a59c51907437566e605e87437a86ec84f0af86130a
-
Filesize
575KB
MD5024d10aeba77b3d41da4314cdac3392d
SHA1bdc5c45079288a6eb397b91a1aa34207b1bd1d99
SHA2566be2705269ae3d5a7fc9d8df8327c096b994a5d63f566d494294e69eb33bad40
SHA5128a99ca474677f19e73ad0b8c2869a6e9bea0084b2b8f57bf0d9ad72812f51e54dce05d00c9e46ed6926aa3c0618510d8ba7201516ca5227f6569946e047b7990
-
Filesize
575KB
MD5b0eb5a52f3d7274b07c025d253c6c1aa
SHA1d42b24239c8d87436346752cd5bdc0bd73658284
SHA25672358fb2d2682c4c5b880708a9ce76bc1a4b5ee66e65e144716a800db3545e64
SHA512492743c562cd3a88464f8eb980675163efd6166d81e527edf9c0b0fd27514d650949bb8fcb4ebfa2e334a8bd71269c57ec67ef23ccbb0136ae5e9811c8904eea
-
Filesize
575KB
MD5c204de1954f03959f8e304a05dd087c2
SHA1b117501186c5507a15b562a69452263de179b19b
SHA256c8141e56dd53e08d91515ab4f3a34c93b9aa048cb743c0639e74fd5444fb4343
SHA512055a231e39a5e4fe9c5e563f172fc76cd224423eca25e0dfdc0ad1d8f8f4c6c0fe7d9f8f5ac37866000efdd3d5d72db8cb2d16997479d8f7241c024c603671bd
-
Filesize
575KB
MD53f78539193185da7ae09b1537c155ce0
SHA1d8f239b478a8f1c0785f28586729602b8bd49b7e
SHA25661a9558c52a3750ee580cc213569bf159c31b77cdde6a09be1292f21212790ae
SHA5122bb16aeb67ae5ed771779cf387f294d5ab45550231f76b39be8318d5534d11b553d827ce78bc23cb6ade92bc5449449364b4586dbc2fbaa837b4d57810c1074b
-
Filesize
576KB
MD5356048dadb2cbe18bd364d8d99b9446a
SHA125c454e4bcafc299cb847b042252b71d0d22dc5a
SHA256749dcb83a9e43e74836a8384b12ef03f035bb5cb92d74fc3b3b0687aaf3a0b1a
SHA512ee60659cb0adb66e17c9435801f9e70b61cae6d5d6e0a9f5c3b0d7e644f257bb79ca2a9ca09bbdc094da56b0774917a2f404cf4c79f2710af3da140452a5366b
-
Filesize
576KB
MD5c04a3af637b3560b7ebb09f700f2e0d9
SHA15a38206ad486980643fac8de501a074a323ccfe6
SHA256453480749cc5af97b10e4be20940ce975b8446fd37b320cdbfcece12abed4eea
SHA512384cb04eb089ca55f86e59a09a87d895fa8984d9b955a4335dcea4337870e21fc0737fac497d703486353c772d33f59af18a2630f6f37d1fdb277b54697ebbdb
-
Filesize
576KB
MD5ec8a0e2aa12dd2fb1c22945328652a0b
SHA18e97bdb15aaf1df33997580175d77ab014b76aa9
SHA2560b8f0f990c60286b9051fca83249d4f569041ba0b060cdcbc6b2bae119fd9f83
SHA5128610733b63d80595dfc95011ba81d28afe20dc5a3c9c1b5bbc57e17a61fffe459285288f87d6862a1f68ab98cfbe535e4589e2ed5fc33d9f4d1f3088b83a2075
-
Filesize
576KB
MD5f14b26e96b7acce8f045122b9be33de2
SHA1372c85f270c75bc776e823db5dfcf1db38755c72
SHA256e330533035f0e396ac75618ea60b07388da7700febbae0aaf1de8a2112867f0e
SHA512413b3bc03f1ac207850a136c7e8b94fb4a124173f569cabae6dd89d9b315a381ec2bca7914843b2e5a4e9167a3bf2d5971595ed07a2cbc37fbce5c24f98d9ee0
-
Filesize
576KB
MD54cf94e5b387e9ee3154c2357eb315b69
SHA18970357fb2ee31ecf105d4430c10ba69e5307f8d
SHA25695ee105cdfec46036b11c752900d61483dd585896eb5e396984c73802951f247
SHA51242f58d36fffc07fdfa18bf8e6afb6f42c9138aebd4bcbdcf19602a78557055d5559a5ec67e2a9d8ef721f0d6f318b71fb5e024ab6f2a195be127e70676f85fa4
-
Filesize
576KB
MD56256f9bc2ee142389e4db41222241e97
SHA1c32e972424676fa557946db2db8950224ed9e79f
SHA25643e84fa5b5477db92a9a5f2ed5ef9199ab44babf2b1ce5d66bd77020f6252546
SHA5122f9d674a2bed981611ad4681b6e1f3f07106698b46284514940d3c911e429468843f9a08afbca1d136c55eab007cbae78160da87ccc3c50de0f70231dc24a644
-
Filesize
256KB
MD5db4a9fac1f33c774990eeb3b2dbd4bda
SHA186d8ceeb376eaddbc2b3cf44435db636c1a1ebad
SHA25663b66de05e1df906082cf1dbed9d00531db6d650f68aacf870f8859efa683fed
SHA5124ef44b4fa2d42c9a2243760c2d14f679292ab8d8fe09f9ec2cba6f7a581766386bcd73cd439438204201b9792393b023c4d0c2f09c8f7116bfbf8dcb4407c7ad
-
Filesize
576KB
MD5ff564fea35f641426786176f3772f55d
SHA11469b11050a793a0889d6a43d884e1bb3b4f56a8
SHA256a9e6cad941fef108bd4019fd8c70989b189003062bdb5ed2ad999af8ccd6cd72
SHA51247a729ddd51b99822103472a8abbd64981df381ceb4ff572e0f4ae65bdb8bf5284bf554e0695afe465678a0a6ff77dfc79488b130e4f7d5ecf9bd94c1d9f6b12
-
Filesize
576KB
MD52df080bcfc9fb970c6298ad57d45bd9a
SHA1772fbafe482c97df0f407d2d1348ff31732311fd
SHA2562b6110d12fb49892ac869c70d269764d2910df50fc91ad4bac3787f1e896f42f
SHA512b1e136740fd364d0b49001662a8acb06d46034175dfd7029ac6ed90a9d7373ef14ca608d0632988ca3ce2d1943924076aa966b888950b6bf0ccee02af4723a65
-
Filesize
576KB
MD5608acb718acd97a278a795ddef17b56a
SHA120ce4ae028d5df435d064e3e705a4a4e7c95a7b1
SHA256886f9f802e7edd0c49488b8079308e0014e597532b411efd4daa40339325a48d
SHA512e6004cee25c27393df6ca7bb656811fbd63a7574880d78e24cbeeae4e580a4a649eaab39bb927304cc75a243be9591d2f15a2c9d5a8b2e37654d2000d55519a3
-
Filesize
576KB
MD5a7f45f88c278203157c0284b4b8f9e24
SHA133569bbb0e842b99a09061f9c63f633819ebfc91
SHA256bde51daf73a215cdba33ff9bcd0c9cb440ec01a0a55f6935df0eda85da7e057d
SHA5122f3c9f3d17606fb0103510396e49840a1cb045a364d17ed53e317c8861e93421d8332fc88163f784a835c927d2a92246a8db300494fd58f98bef6aa07e523cd4
-
Filesize
576KB
MD5690ac1d7475f1f1eb125ffb48d757b6e
SHA16317d8bc373331f3e7a0d2bf675990fa9897d056
SHA2562aa64db771bdff7d3aa7609e0af2f69bf316a38cb8432dd65cce2a3386a62b66
SHA512a39ad9b97e6542a3822072a58c4afbb377bc2b0922db9fd5882bcaafcd8166dc91dcc6dc850c471d8f8e188c237fc81c0112b723a726c262414c45e9409e3a15
-
Filesize
576KB
MD54d2e14efcd17c6c4555e25af81259af7
SHA11d4cccf88988d3a3d80739b268e693445ac20a0e
SHA2561954665733a01fecb4b1c4282574057ed32a8d267f41e1fdc70c04ac33196ccb
SHA51245f6b684c5a250ebd5c7f517e9f838448a45c77a1134f2315b1a4687f614f5df309376c5fab61d00d7eae0687432a9e316c3da6943299ab04dc59b16b11266db
-
Filesize
576KB
MD5df8bbb1910158bf315f6be2d1cab25f2
SHA1df57e81b2d44491231411d03f153d753348e14b3
SHA2569a3b01f28fb7bdb32831e0869e7c07dadad77df75c8c09faef1d09404c899e5c
SHA51225346f92de4f8c113d9790d3f0c486b637958985ffc1db2ff84a499f28d683f2d9706d3d931265ba9e887466c8dfd0694e223f9e75624b6ca25b7d5885c7f002
-
Filesize
576KB
MD5ca159a2ba9d73178540d48d99ac1f696
SHA178ca10b25ec59ba30ccf7ae7326f339dc01ec93c
SHA256519928fc5e548485bb7ea063fcedc6598f78680b1eeff4c59cc860dd6b4001bb
SHA512b53647a43ed50d12011b6d2b4feaad90d24bb6e407037f786021ba1fe2ba22682df223b72e8a1be28630ec8d837f6edca14f4119a3341e5b60209886daef4ac4
-
Filesize
192KB
MD5a662e1010fe4ea3e5a900b331f318c7d
SHA1759b586ab77425d338d6598a0ce5744ab91d671d
SHA256c6c65b5d5084b21a6b2b311cf65855f22ff26f84a6734491a5895f499ce834ed
SHA512d72266152241bf7db076367d2c5b7191278acc8bc1c5e1fe8dc671bf1dcc6c5920f4d4854a37572dfbbf35a7c397aa05add364e95e803833f2044fe52949c3ed
-
Filesize
576KB
MD5c31cbbcad41780f238557209f2a1cf85
SHA162c55266a6bd67b41a0f4663401fd7d1e0879767
SHA256439df15be6a6189c67a7e7b3d2ccd16cc017a2eac3222eca16926e1ed3bd8979
SHA5126f634055ea65b80a81be4001625d00e3d5e7c7854229f42b1b9897d77376226a71c50454235e036005ffc09e06787a0277cb8db56f43639d298bf9721cd9c848
-
Filesize
576KB
MD560b52a782325031b58cbc8dcfe8a7e24
SHA15e08fd95249a898c7bc1e49abe6639ee5cd5f92d
SHA2563d70d2d190e959a7fd207f202f1ca7ac2cf62a25c0fa63b3a44c08616f60a475
SHA5126644363ec3f0d75e1cfb898788838b2b30d67b304638f530a80c57a8f69dbdd22b50a3f633145fd58b825b7d0016476579eabca28d239b23271d46ff93d12b8a
-
Filesize
576KB
MD577a60b3c6cd4ce4f041357c9599f92a0
SHA19f17db99ca7a15389432876f2a55ec97a7142d35
SHA256a2fa4eb3f43f5a63333ac50c6a0ad56bfa938e4f01b1d89793c593bb6d23609b
SHA512424208a68ada3ce40c48680a15a08ea375fa93ca40b54931ce13b8d328f58ad84001aeb46aad3977a68236ae73a6975ae87431016cdcf4880d93e1ccc70a669b
-
Filesize
576KB
MD5147c27849bfaff60e9168c4fa902aad5
SHA1c997524f590723a5bff90ae8a9af9e211e29febe
SHA256c8e7d6c51a476614a82ce68603ab563a8bffa0c76b3d4819aa14ce12e82d8fc0
SHA512f657bcd0b2678db614392f2a371101baf2df007165c34802043b8e340d753ea95c7cb8cba12f2d3ea8ccbc8e3138c34f20337ac4c9759f2674b2015f9e657213
-
Filesize
576KB
MD523b0b3e3cc3081b1ad02bae42712502d
SHA13047b08e03e97bc6b0e2c2e9dcf5a01504e5e65e
SHA2562aa89420ec59a826fba51097fcc7a2562e9dc4a5408fb2f44ad50b63de3f7f36
SHA512362181a827592cc3dd6d811ae863a1e9ce5794459c6db60cc2af1bd11871eef5e0d9cd9d48df0559e207599805c64a209d67785b6249ca3f76663f63070603b7