17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

Analysis

max time kernel
150s
max time network
64s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Size

512KB
MD5

82fd0018bb2441cfc589124168472840
SHA1

c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA256

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512

bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
SSDEEP

6144:0c47HpZ9ELuQN28GWqDfKCmxS1h8sF5/x:jKpcLuQpgDf+xKh8Kp

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe

Executes dropped EXE 3 IoCs

Processes:

zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe

pid process

1396 zetehvgpwf.exe
1232 zetehvgpwf.exe
268 zetehvgpwf.exe

pid	process
1396	zetehvgpwf.exe
1232	zetehvgpwf.exe
268	zetehvgpwf.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
1012	icacls.exe
1920	icacls.exe
1872	takeown.exe
1608	takeown.exe
1556	icacls.exe
1688	icacls.exe
1468	takeown.exe
1256	icacls.exe
1656	icacls.exe
1920	icacls.exe
2032	takeown.exe
864	takeown.exe
1468	icacls.exe
688	takeown.exe
272	takeown.exe
1748	takeown.exe
1068	takeown.exe
328	icacls.exe
2004	takeown.exe
1524	takeown.exe
1224	icacls.exe
564	takeown.exe
2036	icacls.exe
688	icacls.exe
1636	icacls.exe
920	icacls.exe
1436	takeown.exe
1524	takeown.exe
1820	icacls.exe
1972	icacls.exe
616	icacls.exe
960	icacls.exe
432	takeown.exe
1388	takeown.exe
1400	icacls.exe
2032	takeown.exe
880	icacls.exe
1808	takeown.exe
432	icacls.exe
1324	icacls.exe
960	takeown.exe
1300	takeown.exe
1332	icacls.exe
1252	takeown.exe
1448	takeown.exe
308	icacls.exe
1204	takeown.exe
1820	icacls.exe
564	icacls.exe
676	icacls.exe
1012	takeown.exe
240	icacls.exe
1204	takeown.exe
1012	takeown.exe
1204	takeown.exe
468	takeown.exe
836	icacls.exe
1528	icacls.exe
1304	icacls.exe
2028	takeown.exe
1400	icacls.exe
1928	icacls.exe
652	takeown.exe
556	takeown.exe

Loads dropped DLL 5 IoCs

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exe

pid	process
912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
1232	zetehvgpwf.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
1928	takeown.exe
1708	icacls.exe
904	icacls.exe
1068	takeown.exe
1432	takeown.exe
1528	icacls.exe
1748	takeown.exe
1956	icacls.exe
1980	icacls.exe
1636	icacls.exe
1692	icacls.exe
652	takeown.exe
1820	icacls.exe
1972	takeown.exe
1448	takeown.exe
240	icacls.exe
1324	takeown.exe
1224	icacls.exe
696	takeown.exe
1956	icacls.exe
1468	icacls.exe
308	icacls.exe
1252	icacls.exe
576	takeown.exe
984	takeown.exe
2004	icacls.exe
272	takeown.exe
1012	takeown.exe
688	icacls.exe
1692	icacls.exe
1176	takeown.exe
1012	takeown.exe
1684	takeown.exe
1656	icacls.exe
1980	icacls.exe
1908	takeown.exe
2040	takeown.exe
1068	icacls.exe
316	icacls.exe
616	takeown.exe
1284	icacls.exe
1256	icacls.exe
876	icacls.exe
1452	takeown.exe
1432	takeown.exe
1808	takeown.exe
432	takeown.exe
1920	icacls.exe
1084	icacls.exe
1524	takeown.exe
1332	icacls.exe
1708	icacls.exe
636	takeown.exe
652	icacls.exe
328	icacls.exe
1864	takeown.exe
876	takeown.exe
1240	icacls.exe
676	takeown.exe
1540	takeown.exe
468	takeown.exe
700	takeown.exe
960	takeown.exe
1432	icacls.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zetehvgpwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zetehvgpwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zetehvgpwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 whatismyipaddress.com
13 whatismyip.everdot.org

flow	ioc
9	whatismyipaddress.com
13	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
File opened for modification	C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe
File opened for modification	C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe
File opened for modification	C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe

Drops file in Program Files directory 64 IoCs

Processes:

zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnufavtsb\AdobeCollabSync.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\nqhugsneoo\DW20.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\twnuitlmej\msinfo32.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\twnuyaljbr\Wkconv.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnubgfszu\A3DUtility.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnuitasfs\AcroRd32.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\Adobe AIR Application Installer.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurqhuq\Adobe AIR Updater.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\twnusvjeeo\mip.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\twnuurisru\chrome_installer.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnuitasfs\AcroRd32.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhualcnij\MSOXMLED.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\twnubbiwvy\ODeploy.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuhelsgy\iexplore.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\twnuitlmej\msinfo32.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\twnubaxtgs\Oarpmany.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\twnubaxtgs\Oarpmany.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\twnuurahvm\SC_Reader.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhualcnij\MSOXMLED.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuheldvu\GoogleUpdateCore.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\nqhupufdtx\ACCICONS.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\twnushqldy\Setup.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\Adobe AIR Application Installer.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\twnuurahvm\SC_Reader.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurqhuq\Adobe AIR Updater.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhupufdtj\MSOICONS.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\twnuyaljbr\Wkconv.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuhelsgy\iexplore.exe	zetehvgpwf.exe
File opened for modification	C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\nqhuitkepi\EQNEDT32.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\twnusvjeeo\mip.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\nqhuitkepi\EQNEDT32.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\twnuhgxkgp\DisabledGoogleUpdate.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuonqzej\ieinstal.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\twnufavtdx\BCSSync.exe	zetehvgpwf.exe
File opened for modification	C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\twnuurqhuq\Adobe_Updater.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\airappinstaller.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwisvi\GoogleUpdateComRegisterShell64.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnubgfszu\A3DUtility.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\twnuurqhuq\Adobe_Updater.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\nqhugsneoo\DW20.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhuxbcdtg\LICLUA.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\nqhupufdtx\ACCICONS.EXE	zetehvgpwf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnufavtsb\AdobeCollabSync.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\twnushqldy\Setup.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuheldvu\GoogleUpdateCore.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe	zetehvgpwf.exe
File opened for modification	C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe	zetehvgpwf.exe
File created	C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\airappinstaller.exe	zetehvgpwf.exe

Drops file in Windows directory 4 IoCs

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe

description	ioc	process
File created	C:\Windows\helojpststpvxegsofrovytz.dcd	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
File opened for modification	C:\Windows\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe
File opened for modification	C:\Windows\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe
File opened for modification	C:\Windows\helojpststpvxegsofrovytz.dcd	zetehvgpwf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zetehvgpwf.exe

pid	process
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe
1232	zetehvgpwf.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

zetehvgpwf.exezetehvgpwf.exe

pid process

1232 zetehvgpwf.exe
268 zetehvgpwf.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

zetehvgpwf.exezetehvgpwf.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1232	zetehvgpwf.exe
Token: SeDebugPrivilege	268	zetehvgpwf.exe
Token: SeTakeOwnershipPrivilege	576	takeown.exe
Token: SeTakeOwnershipPrivilege	564	takeown.exe
Token: SeTakeOwnershipPrivilege	700	takeown.exe
Token: SeTakeOwnershipPrivilege	696	takeown.exe
Token: SeTakeOwnershipPrivilege	2032	takeown.exe
Token: SeTakeOwnershipPrivilege	1908	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	1712	takeown.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeTakeOwnershipPrivilege	580	takeown.exe
Token: SeTakeOwnershipPrivilege	1432	takeown.exe
Token: SeTakeOwnershipPrivilege	1864	takeown.exe
Token: SeTakeOwnershipPrivilege	432	takeown.exe
Token: SeTakeOwnershipPrivilege	616	takeown.exe
Token: SeTakeOwnershipPrivilege	1720	takeown.exe
Token: SeTakeOwnershipPrivilege	1012	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exe

description	pid	process	target process
PID 912 wrote to memory of 1396	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1396	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1396	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1396	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1232	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1232	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1232	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1232	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	zetehvgpwf.exe
PID 1232 wrote to memory of 268	1232	zetehvgpwf.exe	zetehvgpwf.exe
PID 1232 wrote to memory of 268	1232	zetehvgpwf.exe	zetehvgpwf.exe
PID 1232 wrote to memory of 268	1232	zetehvgpwf.exe	zetehvgpwf.exe
PID 1232 wrote to memory of 268	1232	zetehvgpwf.exe	zetehvgpwf.exe
PID 912 wrote to memory of 1784	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	cmd.exe
PID 912 wrote to memory of 1784	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	cmd.exe
PID 912 wrote to memory of 1784	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	cmd.exe
PID 912 wrote to memory of 1784	912	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	cmd.exe
PID 268 wrote to memory of 1300	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1300	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1300	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1300	268	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1808	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1808	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1808	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1808	1232	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1696	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 1696	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 1696	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 1696	268	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 240	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 240	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 240	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 240	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 1932	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1932	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1932	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1932	1232	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1928	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1928	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1928	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 1928	268	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1528	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 1528	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 1528	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 1528	1232	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 960	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 960	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 960	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 960	268	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 556	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 556	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 556	1232	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 556	1232	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 468	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 468	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 468	268	zetehvgpwf.exe	takeown.exe
PID 268 wrote to memory of 468	268	zetehvgpwf.exe	takeown.exe
PID 1232 wrote to memory of 1468	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 1468	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 1468	1232	zetehvgpwf.exe	icacls.exe
PID 1232 wrote to memory of 1468	1232	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 1956	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 1956	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 1956	268	zetehvgpwf.exe	icacls.exe
PID 268 wrote to memory of 1956	268	zetehvgpwf.exe	icacls.exe

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

Processes:

zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zetehvgpwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zetehvgpwf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zetehvgpwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zetehvgpwf.exe

C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
"C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:912

C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
"C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System policy modification
PID:1396

C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
"C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -
2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1232

C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
"C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:268

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe"
4⤵
- Possible privilege escalation attempt
PID:1300

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe" /grant Admin:D
4⤵
PID:1696

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe"
4⤵
- Modifies file permissions
PID:1928

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:960

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe"
4⤵
- Modifies file permissions
PID:468

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe" /grant Admin:D
4⤵
PID:1956

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"
4⤵
PID:816

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1400

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe"
4⤵
PID:1928

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe" /grant Admin:D
4⤵
PID:1712

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"
4⤵
- Modifies file permissions
PID:876

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /grant Admin:D
4⤵
PID:1908

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe"
4⤵
- Modifies file permissions
PID:1748

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:904

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:432

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe" /grant Admin:D
4⤵
PID:676

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe"
4⤵
- Modifies file permissions
PID:652

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1820

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
4⤵
PID:1808

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /grant Admin:D
4⤵
PID:304

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe"
4⤵
PID:1284

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe" /grant Admin:D
4⤵
PID:1352

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe"
4⤵
PID:580

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe" /grant Admin:D
4⤵
PID:1956

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe"
4⤵
- Modifies file permissions
PID:1324

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe" /grant Admin:D
4⤵
PID:1252

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe"
4⤵
PID:2040

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /grant Admin:D
4⤵
PID:1256

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe"
4⤵
PID:1496

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" /grant Admin:D
4⤵
PID:876

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe"
4⤵
PID:1708

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe" /grant Admin:D
4⤵
PID:1240

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe"
4⤵
PID:1928

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1656

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE"
4⤵
- Possible privilege escalation attempt
PID:1608

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE" /grant Admin:D
4⤵
- Modifies file permissions
PID:652

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE"
4⤵
- Modifies file permissions
PID:1908

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE" /grant Admin:D
4⤵
- Modifies file permissions
PID:1980

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"
4⤵
PID:1176

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE" /grant Admin:D
4⤵
PID:1528

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe" /grant Admin:D
4⤵
PID:1972

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1332

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1956

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:616

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE"
4⤵
PID:1720

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1636

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE"
4⤵
PID:652

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1324

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE"
4⤵
- Possible privilege escalation attempt
PID:1204

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE" /grant Admin:D
4⤵
PID:316

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1012

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1820

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe"
4⤵
- Possible privilege escalation attempt
PID:2028

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1084

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe"
4⤵
PID:1768

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1556

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe"
4⤵
PID:1688

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1240

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE"
4⤵
PID:1964

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE" /grant Admin:D
4⤵
PID:1656

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe"
4⤵
- Possible privilege escalation attempt
PID:2004

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1400

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE"
4⤵
PID:304

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Admin:D
4⤵
PID:1956

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1068

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe" /grant Admin:D
4⤵
PID:1452

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe"
4⤵
PID:1536

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe" /grant Admin:D
4⤵
PID:560

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe"
4⤵
PID:688

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
4⤵
PID:904

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
4⤵
PID:1332

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
4⤵
PID:304

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
4⤵
- Possible privilege escalation attempt
PID:1204

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
4⤵
PID:1560

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
4⤵
PID:1724

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
4⤵
PID:328

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
4⤵
- Modifies file permissions
PID:984

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
4⤵
PID:1300

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
4⤵
PID:1908

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1432

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
4⤵
- Modifies file permissions
PID:676

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
4⤵
PID:1068

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
4⤵
PID:544

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
4⤵
PID:1972

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
4⤵
PID:240

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:2004

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
4⤵
- Possible privilege escalation attempt
PID:2032

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
4⤵
PID:1408

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
4⤵
- Possible privilege escalation attempt
PID:1524

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:676

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:272

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1224

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
4⤵
PID:468

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1708

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
4⤵
PID:1204

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
4⤵
PID:1568

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE"
4⤵
PID:1496

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE" /grant Admin:D
4⤵
PID:1660

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE"
4⤵
- Modifies file permissions
PID:1540

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE" /grant Admin:D
4⤵
PID:1768

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe"
4⤵
PID:1256

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1820

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE"
4⤵
PID:1724

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE" /grant Admin:D
4⤵
PID:328

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE"
4⤵
PID:1300

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE" /grant Admin:D
4⤵
PID:1448

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:240

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe"
3⤵
PID:1932

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1528

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe"
3⤵
- Possible privilege escalation attempt
PID:556

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1468

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"
3⤵
- Modifies file permissions
PID:1684

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1708

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe"
3⤵
PID:1552

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1284

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"
3⤵
PID:1052

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /grant Admin:D
3⤵
PID:1312

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe"
3⤵
PID:1696

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:308

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe"
3⤵
- Modifies file permissions
PID:1176

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1256

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe"
3⤵
- Possible privilege escalation attempt
PID:1468

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:876

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
3⤵
- Possible privilege escalation attempt
PID:1388

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1252

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe"
3⤵
PID:2024

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:432

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe"
3⤵
PID:1304

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1332

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe"
3⤵
PID:552

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe" /grant Admin:D
3⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe"
3⤵
- Modifies file permissions
PID:576

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /grant Admin:D
3⤵
PID:2028

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe"
3⤵
PID:1660

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" /grant Admin:D
3⤵
PID:1908

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe"
3⤵
PID:904

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe" /grant Admin:D
3⤵
PID:1548

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe"
3⤵
- Possible privilege escalation attempt
PID:1204

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe" /grant Admin:D
3⤵
PID:636

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE"
3⤵
- Modifies file permissions
PID:700

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1304

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE"
3⤵
PID:984

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1920

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"
3⤵
- Modifies file permissions
PID:1452

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE" /grant Admin:D
3⤵
PID:920

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe"
3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe" /grant Admin:D
3⤵
PID:1084

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe" /grant Admin:D
3⤵
PID:1872

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe"
3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe" /grant Admin:D
3⤵
PID:876

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe"
3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:920

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE"
3⤵
- Modifies file permissions
PID:2040

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:328

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE"
3⤵
- Possible privilege escalation attempt
PID:1872

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE" /grant Admin:D
3⤵
PID:1496

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE"
3⤵
PID:552

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE" /grant Admin:D
3⤵
- Modifies file permissions
PID:1068

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE"
3⤵
PID:1148

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE" /grant Admin:D
3⤵
PID:1536

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe"
3⤵
PID:1400

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe" /grant Admin:D
3⤵
PID:1976

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe"
3⤵
PID:708

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:2036

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe"
3⤵
- Modifies file permissions
PID:960

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1928

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE"
3⤵
- Modifies file permissions
PID:1972

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1012

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe"
3⤵
- Possible privilege escalation attempt
PID:688

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1980

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE"
3⤵
PID:1768

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1920

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1524

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:316

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe"
3⤵
PID:1076

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe" /grant Admin:D
3⤵
PID:1972

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe"
3⤵
PID:1660

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
3⤵
PID:652

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
3⤵
PID:1408

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1956

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
3⤵
- Possible privilege escalation attempt
PID:1252

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
3⤵
PID:1284

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
3⤵
PID:976

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1636

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:1692

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1448

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
3⤵
PID:708

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
3⤵
PID:1968

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
3⤵
- Possible privilege escalation attempt
PID:960

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
3⤵
PID:1688

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
3⤵
- Possible privilege escalation attempt
PID:864

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:564

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
3⤵
- Possible privilege escalation attempt
PID:468

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:836

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
3⤵
- Possible privilege escalation attempt
PID:1436

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:880

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
3⤵
PID:2024

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1688

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe"
3⤵
PID:1964

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe" /grant Admin:D
3⤵
PID:1052

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:240

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
3⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
3⤵
PID:780

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
3⤵
PID:112

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE"
3⤵
PID:1168

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:688

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE"
3⤵
- Modifies file permissions
PID:1432

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE" /grant Admin:D
3⤵
PID:1908

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe"
3⤵
PID:1252

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe" /grant Admin:D
3⤵
PID:1204

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE"
3⤵
- Modifies file permissions
PID:636

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1972

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE"
3⤵
- Possible privilege escalation attempt
PID:652

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE" /grant Admin:D
3⤵
- Modifies file permissions
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
37af78e55d38cba5679c4e1d816f9be2

SHA1
37fef31bf2abc46a72b5bb632bc5be75397bdfd4

SHA256
80aadb2c8a0590379f95bf76ab0c976453709889787e4dcfd5fe766bf900cb9d

SHA512
844dff6c0d2c3c93764ab1cd7b9ec254484faa5a9a9e99eb867018ee00a9ab481230f51b122369be76a1d973b124cbf5b8207c542ad68d9d789edd58e5222f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
bab461cb0c367455906bd3c65bc4cd01

SHA1
eb80e781c79f16d946af5412378dee1e1aa707d6

SHA256
673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014

SHA512
ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386

Download Submit
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
37af78e55d38cba5679c4e1d816f9be2

SHA1
37fef31bf2abc46a72b5bb632bc5be75397bdfd4

SHA256
80aadb2c8a0590379f95bf76ab0c976453709889787e4dcfd5fe766bf900cb9d

SHA512
844dff6c0d2c3c93764ab1cd7b9ec254484faa5a9a9e99eb867018ee00a9ab481230f51b122369be76a1d973b124cbf5b8207c542ad68d9d789edd58e5222f6b

Download Submit
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Windows\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
78be5b937ba933f6c04af5e8c6f7295f

SHA1
39ce543559962f8ffadf9780bf4c70dc5f0bd40e

SHA256
7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

SHA512
dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

Download Submit
C:\Windows\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
bab461cb0c367455906bd3c65bc4cd01

SHA1
eb80e781c79f16d946af5412378dee1e1aa707d6

SHA256
673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014

SHA512
ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386

Download Submit
C:\Windows\helojpststpvxegsofrovytz.dcd
Filesize
32B

MD5
bab461cb0c367455906bd3c65bc4cd01

SHA1
eb80e781c79f16d946af5412378dee1e1aa707d6

SHA256
673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014

SHA512
ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386

Download Submit
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
memory/240-94-0x0000000000000000-mapping.dmp

Download
memory/268-72-0x0000000000000000-mapping.dmp

Download
memory/304-130-0x0000000000000000-mapping.dmp

Download
memory/308-117-0x0000000000000000-mapping.dmp

Download
memory/432-120-0x0000000000000000-mapping.dmp

Download
memory/432-133-0x0000000000000000-mapping.dmp

Download
memory/468-100-0x0000000000000000-mapping.dmp

Download
memory/552-140-0x0000000000000000-mapping.dmp

Download
memory/556-99-0x0000000000000000-mapping.dmp

Download
memory/576-143-0x0000000000000000-mapping.dmp

Download
memory/580-135-0x0000000000000000-mapping.dmp

Download
memory/652-123-0x0000000000000000-mapping.dmp

Download
memory/676-122-0x0000000000000000-mapping.dmp

Download
memory/816-105-0x0000000000000000-mapping.dmp

Download
memory/876-126-0x0000000000000000-mapping.dmp

Download
memory/876-150-0x0000000000000000-mapping.dmp

Download
memory/876-112-0x0000000000000000-mapping.dmp

Download
memory/904-118-0x0000000000000000-mapping.dmp

Download
memory/912-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/960-98-0x0000000000000000-mapping.dmp

Download
memory/1052-111-0x0000000000000000-mapping.dmp

Download
memory/1176-119-0x0000000000000000-mapping.dmp

Download
memory/1232-62-0x0000000000000000-mapping.dmp

Download
memory/1252-141-0x0000000000000000-mapping.dmp

Download
memory/1252-129-0x0000000000000000-mapping.dmp

Download
memory/1256-146-0x0000000000000000-mapping.dmp

Download
memory/1256-121-0x0000000000000000-mapping.dmp

Download
memory/1284-109-0x0000000000000000-mapping.dmp

Download
memory/1284-132-0x0000000000000000-mapping.dmp

Download
memory/1300-91-0x0000000000000000-mapping.dmp

Download
memory/1304-136-0x0000000000000000-mapping.dmp

Download
memory/1312-114-0x0000000000000000-mapping.dmp

Download
memory/1324-139-0x0000000000000000-mapping.dmp

Download
memory/1332-138-0x0000000000000000-mapping.dmp

Download
memory/1352-134-0x0000000000000000-mapping.dmp

Download
memory/1388-127-0x0000000000000000-mapping.dmp

Download
memory/1396-57-0x0000000000000000-mapping.dmp

Download
memory/1400-106-0x0000000000000000-mapping.dmp

Download
memory/1468-101-0x0000000000000000-mapping.dmp

Download
memory/1468-124-0x0000000000000000-mapping.dmp

Download
memory/1496-148-0x0000000000000000-mapping.dmp

Download
memory/1528-97-0x0000000000000000-mapping.dmp

Download
memory/1552-107-0x0000000000000000-mapping.dmp

Download
memory/1660-147-0x0000000000000000-mapping.dmp

Download
memory/1684-142-0x0000000000000000-mapping.dmp

Download
memory/1684-103-0x0000000000000000-mapping.dmp

Download
memory/1696-115-0x0000000000000000-mapping.dmp

Download
memory/1696-93-0x0000000000000000-mapping.dmp

Download
memory/1708-104-0x0000000000000000-mapping.dmp

Download
memory/1712-110-0x0000000000000000-mapping.dmp

Download
memory/1748-116-0x0000000000000000-mapping.dmp

Download
memory/1784-90-0x0000000000000000-mapping.dmp

Download
memory/1808-128-0x0000000000000000-mapping.dmp

Download
memory/1808-92-0x0000000000000000-mapping.dmp

Download
memory/1820-125-0x0000000000000000-mapping.dmp

Download
memory/1908-149-0x0000000000000000-mapping.dmp

Download
memory/1908-113-0x0000000000000000-mapping.dmp

Download
memory/1928-108-0x0000000000000000-mapping.dmp

Download
memory/1928-96-0x0000000000000000-mapping.dmp

Download
memory/1932-95-0x0000000000000000-mapping.dmp

Download
memory/1956-102-0x0000000000000000-mapping.dmp

Download
memory/1956-137-0x0000000000000000-mapping.dmp

Download
memory/2024-131-0x0000000000000000-mapping.dmp

Download
memory/2028-145-0x0000000000000000-mapping.dmp

Download
memory/2040-144-0x0000000000000000-mapping.dmp

Download