Analysis

  • max time kernel
    150s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2022 17:57

General

  • Target

    17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe

  • Size

    512KB

  • MD5

    82fd0018bb2441cfc589124168472840

  • SHA1

    c389e4cd7981f7236f19f357f5ba61901d52dc37

  • SHA256

    17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

  • SHA512

    bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

  • SSDEEP

    6144:0c47HpZ9ELuQN28GWqDfKCmxS1h8sF5/x:jKpcLuQpgDf+xKh8Kp

Malware Config

Signatures

  • UAC bypass 3 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Possible privilege escalation attempt 64 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies file permissions 1 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
    "C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:912
    • C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
      "C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System policy modification
      PID:1396
    • C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
      "C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
        "C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:268
        • C:\Windows\SysWOW64\takeown.exe
          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe"
          4⤵
          • Possible privilege escalation attempt
          PID:1300
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe" /grant Admin:D
          4⤵
            PID:1696
          • C:\Windows\SysWOW64\takeown.exe
            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe"
            4⤵
            • Modifies file permissions
            PID:1928
          • C:\Windows\SysWOW64\icacls.exe
            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe" /grant Admin:D
            4⤵
            • Possible privilege escalation attempt
            PID:960
          • C:\Windows\SysWOW64\takeown.exe
            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe"
            4⤵
            • Modifies file permissions
            PID:468
          • C:\Windows\SysWOW64\icacls.exe
            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe" /grant Admin:D
            4⤵
              PID:1956
            • C:\Windows\SysWOW64\takeown.exe
              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"
              4⤵
                PID:816
              • C:\Windows\SysWOW64\icacls.exe
                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /grant Admin:D
                4⤵
                • Possible privilege escalation attempt
                PID:1400
              • C:\Windows\SysWOW64\takeown.exe
                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe"
                4⤵
                  PID:1928
                • C:\Windows\SysWOW64\icacls.exe
                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe" /grant Admin:D
                  4⤵
                    PID:1712
                  • C:\Windows\SysWOW64\takeown.exe
                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"
                    4⤵
                    • Modifies file permissions
                    PID:876
                  • C:\Windows\SysWOW64\icacls.exe
                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /grant Admin:D
                    4⤵
                      PID:1908
                    • C:\Windows\SysWOW64\takeown.exe
                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe"
                      4⤵
                      • Modifies file permissions
                      PID:1748
                    • C:\Windows\SysWOW64\icacls.exe
                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe" /grant Admin:D
                      4⤵
                      • Modifies file permissions
                      PID:904
                    • C:\Windows\SysWOW64\takeown.exe
                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe"
                      4⤵
                      • Possible privilege escalation attempt
                      • Modifies file permissions
                      PID:432
                    • C:\Windows\SysWOW64\icacls.exe
                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe" /grant Admin:D
                      4⤵
                        PID:676
                      • C:\Windows\SysWOW64\takeown.exe
                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe"
                        4⤵
                        • Modifies file permissions
                        PID:652
                      • C:\Windows\SysWOW64\icacls.exe
                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe" /grant Admin:D
                        4⤵
                        • Modifies file permissions
                        PID:1820
                      • C:\Windows\SysWOW64\takeown.exe
                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
                        4⤵
                          PID:1808
                        • C:\Windows\SysWOW64\icacls.exe
                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /grant Admin:D
                          4⤵
                            PID:304
                          • C:\Windows\SysWOW64\takeown.exe
                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe"
                            4⤵
                              PID:1284
                            • C:\Windows\SysWOW64\icacls.exe
                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe" /grant Admin:D
                              4⤵
                                PID:1352
                              • C:\Windows\SysWOW64\takeown.exe
                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe"
                                4⤵
                                  PID:580
                                • C:\Windows\SysWOW64\icacls.exe
                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe" /grant Admin:D
                                  4⤵
                                    PID:1956
                                  • C:\Windows\SysWOW64\takeown.exe
                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe"
                                    4⤵
                                    • Modifies file permissions
                                    PID:1324
                                  • C:\Windows\SysWOW64\icacls.exe
                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe" /grant Admin:D
                                    4⤵
                                      PID:1252
                                    • C:\Windows\SysWOW64\takeown.exe
                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe"
                                      4⤵
                                        PID:2040
                                      • C:\Windows\SysWOW64\icacls.exe
                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /grant Admin:D
                                        4⤵
                                          PID:1256
                                        • C:\Windows\SysWOW64\takeown.exe
                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe"
                                          4⤵
                                            PID:1496
                                          • C:\Windows\SysWOW64\icacls.exe
                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" /grant Admin:D
                                            4⤵
                                              PID:876
                                            • C:\Windows\SysWOW64\takeown.exe
                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe"
                                              4⤵
                                                PID:1708
                                              • C:\Windows\SysWOW64\icacls.exe
                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe" /grant Admin:D
                                                4⤵
                                                  PID:1240
                                                • C:\Windows\SysWOW64\takeown.exe
                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe"
                                                  4⤵
                                                    PID:1928
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe" /grant Admin:D
                                                    4⤵
                                                    • Possible privilege escalation attempt
                                                    • Modifies file permissions
                                                    PID:1656
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE"
                                                    4⤵
                                                    • Possible privilege escalation attempt
                                                    PID:1608
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE" /grant Admin:D
                                                    4⤵
                                                    • Modifies file permissions
                                                    PID:652
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE"
                                                    4⤵
                                                    • Modifies file permissions
                                                    PID:1908
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE" /grant Admin:D
                                                    4⤵
                                                    • Modifies file permissions
                                                    PID:1980
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"
                                                    4⤵
                                                      PID:1176
                                                    • C:\Windows\SysWOW64\icacls.exe
                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE" /grant Admin:D
                                                      4⤵
                                                        PID:1528
                                                      • C:\Windows\SysWOW64\takeown.exe
                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe"
                                                        4⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:576
                                                      • C:\Windows\SysWOW64\icacls.exe
                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe" /grant Admin:D
                                                        4⤵
                                                          PID:1972
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe"
                                                          4⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:700
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe" /grant Admin:D
                                                          4⤵
                                                          • Possible privilege escalation attempt
                                                          PID:1332
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe"
                                                          4⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1908
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe" /grant Admin:D
                                                          4⤵
                                                          • Modifies file permissions
                                                          PID:1956
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Admin:D
                                                          4⤵
                                                          • Possible privilege escalation attempt
                                                          PID:616
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe"
                                                          4⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1712
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE"
                                                          4⤵
                                                            PID:1720
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE" /grant Admin:D
                                                            4⤵
                                                            • Possible privilege escalation attempt
                                                            PID:1636
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE"
                                                            4⤵
                                                              PID:652
                                                            • C:\Windows\SysWOW64\icacls.exe
                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE" /grant Admin:D
                                                              4⤵
                                                              • Possible privilege escalation attempt
                                                              PID:1324
                                                            • C:\Windows\SysWOW64\takeown.exe
                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE"
                                                              4⤵
                                                              • Possible privilege escalation attempt
                                                              PID:1204
                                                            • C:\Windows\SysWOW64\icacls.exe
                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE" /grant Admin:D
                                                              4⤵
                                                                PID:316
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE"
                                                                4⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                PID:1012
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE" /grant Admin:D
                                                                4⤵
                                                                • Possible privilege escalation attempt
                                                                PID:1820
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe"
                                                                4⤵
                                                                • Possible privilege escalation attempt
                                                                PID:2028
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe" /grant Admin:D
                                                                4⤵
                                                                • Modifies file permissions
                                                                PID:1084
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe"
                                                                4⤵
                                                                  PID:1768
                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /grant Admin:D
                                                                  4⤵
                                                                  • Possible privilege escalation attempt
                                                                  PID:1556
                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe"
                                                                  4⤵
                                                                    PID:1688
                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe" /grant Admin:D
                                                                    4⤵
                                                                    • Modifies file permissions
                                                                    PID:1240
                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE"
                                                                    4⤵
                                                                      PID:1964
                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE" /grant Admin:D
                                                                      4⤵
                                                                        PID:1656
                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe"
                                                                        4⤵
                                                                        • Possible privilege escalation attempt
                                                                        PID:2004
                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe" /grant Admin:D
                                                                        4⤵
                                                                        • Possible privilege escalation attempt
                                                                        PID:1400
                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE"
                                                                        4⤵
                                                                          PID:304
                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Admin:D
                                                                          4⤵
                                                                            PID:1956
                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe"
                                                                            4⤵
                                                                            • Possible privilege escalation attempt
                                                                            • Modifies file permissions
                                                                            PID:1068
                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe" /grant Admin:D
                                                                            4⤵
                                                                              PID:1452
                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe"
                                                                              4⤵
                                                                                PID:1536
                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe" /grant Admin:D
                                                                                4⤵
                                                                                  PID:560
                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe"
                                                                                  4⤵
                                                                                    PID:688
                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
                                                                                    4⤵
                                                                                      PID:904
                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
                                                                                      4⤵
                                                                                        PID:1332
                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
                                                                                        4⤵
                                                                                          PID:304
                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
                                                                                          4⤵
                                                                                          • Possible privilege escalation attempt
                                                                                          PID:1204
                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
                                                                                          4⤵
                                                                                            PID:1560
                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
                                                                                            4⤵
                                                                                              PID:1724
                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
                                                                                              4⤵
                                                                                                PID:328
                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
                                                                                                4⤵
                                                                                                • Modifies file permissions
                                                                                                PID:984
                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
                                                                                                4⤵
                                                                                                  PID:1300
                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
                                                                                                  4⤵
                                                                                                    PID:1908
                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
                                                                                                    4⤵
                                                                                                    • Modifies file permissions
                                                                                                    PID:1432
                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
                                                                                                    4⤵
                                                                                                    • Modifies file permissions
                                                                                                    PID:676
                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
                                                                                                    4⤵
                                                                                                      PID:1068
                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
                                                                                                      4⤵
                                                                                                        PID:544
                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
                                                                                                        4⤵
                                                                                                          PID:1972
                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
                                                                                                          4⤵
                                                                                                            PID:240
                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
                                                                                                            4⤵
                                                                                                            • Modifies file permissions
                                                                                                            PID:2004
                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
                                                                                                            4⤵
                                                                                                            • Possible privilege escalation attempt
                                                                                                            PID:2032
                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
                                                                                                            4⤵
                                                                                                              PID:1408
                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
                                                                                                              4⤵
                                                                                                              • Possible privilege escalation attempt
                                                                                                              PID:1524
                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
                                                                                                              4⤵
                                                                                                              • Possible privilege escalation attempt
                                                                                                              PID:676
                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe"
                                                                                                              4⤵
                                                                                                              • Possible privilege escalation attempt
                                                                                                              • Modifies file permissions
                                                                                                              PID:272
                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe" /grant Admin:D
                                                                                                              4⤵
                                                                                                              • Possible privilege escalation attempt
                                                                                                              • Modifies file permissions
                                                                                                              PID:1224
                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
                                                                                                              4⤵
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:580
                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
                                                                                                              4⤵
                                                                                                                PID:468
                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
                                                                                                                4⤵
                                                                                                                • Modifies file permissions
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:1432
                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
                                                                                                                4⤵
                                                                                                                • Modifies file permissions
                                                                                                                PID:1708
                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
                                                                                                                4⤵
                                                                                                                • Modifies file permissions
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:616
                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
                                                                                                                4⤵
                                                                                                                  PID:1204
                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
                                                                                                                  4⤵
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1720
                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
                                                                                                                  4⤵
                                                                                                                    PID:1568
                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE"
                                                                                                                    4⤵
                                                                                                                      PID:1496
                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE" /grant Admin:D
                                                                                                                      4⤵
                                                                                                                        PID:1660
                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE"
                                                                                                                        4⤵
                                                                                                                        • Modifies file permissions
                                                                                                                        PID:1540
                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE" /grant Admin:D
                                                                                                                        4⤵
                                                                                                                          PID:1768
                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe"
                                                                                                                          4⤵
                                                                                                                            PID:1256
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe" /grant Admin:D
                                                                                                                            4⤵
                                                                                                                            • Possible privilege escalation attempt
                                                                                                                            PID:1820
                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE"
                                                                                                                            4⤵
                                                                                                                              PID:1724
                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE" /grant Admin:D
                                                                                                                              4⤵
                                                                                                                                PID:328
                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE"
                                                                                                                                4⤵
                                                                                                                                  PID:1300
                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE" /grant Admin:D
                                                                                                                                  4⤵
                                                                                                                                    PID:1448
                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe"
                                                                                                                                  3⤵
                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                  • Modifies file permissions
                                                                                                                                  PID:1808
                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe" /grant Admin:D
                                                                                                                                  3⤵
                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                  PID:240
                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe"
                                                                                                                                  3⤵
                                                                                                                                    PID:1932
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe" /grant Admin:D
                                                                                                                                    3⤵
                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:1528
                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe"
                                                                                                                                    3⤵
                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                    PID:556
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe" /grant Admin:D
                                                                                                                                    3⤵
                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:1468
                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"
                                                                                                                                    3⤵
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:1684
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /grant Admin:D
                                                                                                                                    3⤵
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:1708
                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe"
                                                                                                                                    3⤵
                                                                                                                                      PID:1552
                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe" /grant Admin:D
                                                                                                                                      3⤵
                                                                                                                                      • Modifies file permissions
                                                                                                                                      PID:1284
                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"
                                                                                                                                      3⤵
                                                                                                                                        PID:1052
                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /grant Admin:D
                                                                                                                                        3⤵
                                                                                                                                          PID:1312
                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe"
                                                                                                                                          3⤵
                                                                                                                                            PID:1696
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe" /grant Admin:D
                                                                                                                                            3⤵
                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:308
                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1176
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe" /grant Admin:D
                                                                                                                                            3⤵
                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1256
                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                            PID:1468
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe" /grant Admin:D
                                                                                                                                            3⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:876
                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                            PID:1388
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /grant Admin:D
                                                                                                                                            3⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1252
                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe"
                                                                                                                                            3⤵
                                                                                                                                              PID:2024
                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe" /grant Admin:D
                                                                                                                                              3⤵
                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                              PID:432
                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe"
                                                                                                                                              3⤵
                                                                                                                                                PID:1304
                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe" /grant Admin:D
                                                                                                                                                3⤵
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:1332
                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe"
                                                                                                                                                3⤵
                                                                                                                                                  PID:552
                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe" /grant Admin:D
                                                                                                                                                  3⤵
                                                                                                                                                    PID:1684
                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe"
                                                                                                                                                    3⤵
                                                                                                                                                    • Modifies file permissions
                                                                                                                                                    PID:576
                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /grant Admin:D
                                                                                                                                                    3⤵
                                                                                                                                                      PID:2028
                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe"
                                                                                                                                                      3⤵
                                                                                                                                                        PID:1660
                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" /grant Admin:D
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1908
                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:904
                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe" /grant Admin:D
                                                                                                                                                            3⤵
                                                                                                                                                              PID:1548
                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe"
                                                                                                                                                              3⤵
                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                              PID:1204
                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe" /grant Admin:D
                                                                                                                                                              3⤵
                                                                                                                                                                PID:636
                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE"
                                                                                                                                                                3⤵
                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                PID:700
                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE" /grant Admin:D
                                                                                                                                                                3⤵
                                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                                PID:1304
                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:984
                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE" /grant Admin:D
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                  PID:1920
                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                  PID:1452
                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE" /grant Admin:D
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:920
                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:564
                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe" /grant Admin:D
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:1084
                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe"
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:696
                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe" /grant Admin:D
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:1872
                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:2032
                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe" /grant Admin:D
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:876
                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe"
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                          PID:1748
                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Admin:D
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                          PID:920
                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE"
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                          PID:2040
                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE" /grant Admin:D
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                          PID:328
                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE"
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                          PID:1872
                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE" /grant Admin:D
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:1496
                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE"
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:552
                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE" /grant Admin:D
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                              PID:1068
                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:1148
                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE" /grant Admin:D
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:1536
                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:1400
                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe" /grant Admin:D
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:1976
                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:708
                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /grant Admin:D
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                        PID:2036
                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                        PID:960
                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe" /grant Admin:D
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                        PID:1928
                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                        PID:1972
                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE" /grant Admin:D
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                        PID:1012
                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                        PID:688
                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe" /grant Admin:D
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                        PID:1980
                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:1768
                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Admin:D
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                          PID:1920
                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                          PID:1524
                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe" /grant Admin:D
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                          PID:316
                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:1076
                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe" /grant Admin:D
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:1972
                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:1660
                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:652
                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:1408
                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                    PID:1956
                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                                                    PID:1252
                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:1284
                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:976
                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:1636
                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:1692
                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:1448
                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:708
                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:1968
                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                                                                                            PID:960
                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:1688
                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                              PID:864
                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                              PID:564
                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                              PID:468
                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                              PID:836
                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                              PID:1436
                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                              PID:880
                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:2024
                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                                                                                PID:1688
                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:1964
                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe" /grant Admin:D
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:1052
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:1496
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:240
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:1864
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1684
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:432
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:780
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:1012
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:112
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:1168
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE" /grant Admin:D
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                            PID:688
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                            PID:1432
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE" /grant Admin:D
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:1908
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe"
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:1252
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe" /grant Admin:D
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:1204
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE"
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                  PID:636
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE" /grant Admin:D
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                  PID:1972
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE"
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                  PID:652
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE" /grant Admin:D
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                  PID:1692
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c pause
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:1784

                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                              MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                              Privilege Escalation

                                                                                                                                                                                                                              Bypass User Account Control

                                                                                                                                                                                                                              1
                                                                                                                                                                                                                              T1088

                                                                                                                                                                                                                              Defense Evasion

                                                                                                                                                                                                                              Bypass User Account Control

                                                                                                                                                                                                                              1
                                                                                                                                                                                                                              T1088

                                                                                                                                                                                                                              Disabling Security Tools

                                                                                                                                                                                                                              1
                                                                                                                                                                                                                              T1089

                                                                                                                                                                                                                              Modify Registry

                                                                                                                                                                                                                              2
                                                                                                                                                                                                                              T1112

                                                                                                                                                                                                                              File Permissions Modification

                                                                                                                                                                                                                              1
                                                                                                                                                                                                                              T1222

                                                                                                                                                                                                                              Discovery

                                                                                                                                                                                                                              System Information Discovery

                                                                                                                                                                                                                              2
                                                                                                                                                                                                                              T1082

                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                              • C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                37af78e55d38cba5679c4e1d816f9be2

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                37fef31bf2abc46a72b5bb632bc5be75397bdfd4

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                80aadb2c8a0590379f95bf76ab0c976453709889787e4dcfd5fe766bf900cb9d

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                844dff6c0d2c3c93764ab1cd7b9ec254484faa5a9a9e99eb867018ee00a9ab481230f51b122369be76a1d973b124cbf5b8207c542ad68d9d789edd58e5222f6b

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                bab461cb0c367455906bd3c65bc4cd01

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                eb80e781c79f16d946af5412378dee1e1aa707d6

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                37af78e55d38cba5679c4e1d816f9be2

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                37fef31bf2abc46a72b5bb632bc5be75397bdfd4

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                80aadb2c8a0590379f95bf76ab0c976453709889787e4dcfd5fe766bf900cb9d

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                844dff6c0d2c3c93764ab1cd7b9ec254484faa5a9a9e99eb867018ee00a9ab481230f51b122369be76a1d973b124cbf5b8207c542ad68d9d789edd58e5222f6b

                                                                                                                                                                                                                              • C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                              • C:\Windows\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Windows\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                78be5b937ba933f6c04af5e8c6f7295f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                39ce543559962f8ffadf9780bf4c70dc5f0bd40e

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad

                                                                                                                                                                                                                              • C:\Windows\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                bab461cb0c367455906bd3c65bc4cd01

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                eb80e781c79f16d946af5412378dee1e1aa707d6

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386

                                                                                                                                                                                                                              • C:\Windows\helojpststpvxegsofrovytz.dcd
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                bab461cb0c367455906bd3c65bc4cd01

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                eb80e781c79f16d946af5412378dee1e1aa707d6

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386

                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\zetehvgpwf.exe
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                512KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                              • memory/240-94-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/268-72-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/304-130-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/308-117-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/432-120-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/432-133-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/468-100-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/552-140-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/556-99-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/576-143-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/580-135-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/652-123-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/676-122-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/816-105-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/876-126-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/876-150-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/876-112-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/904-118-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/912-54-0x0000000075661000-0x0000000075663000-memory.dmp
                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                              • memory/960-98-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1052-111-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1176-119-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1232-62-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1252-141-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1252-129-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1256-146-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1256-121-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1284-109-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1284-132-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1300-91-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1304-136-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1312-114-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1324-139-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1332-138-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1352-134-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1388-127-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1396-57-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1400-106-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1468-101-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1468-124-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1496-148-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1528-97-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1552-107-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1660-147-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1684-142-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1684-103-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1696-115-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1696-93-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1708-104-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1712-110-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1748-116-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1784-90-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1808-128-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1808-92-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1820-125-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1908-149-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1908-113-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1928-108-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1928-96-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1932-95-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1956-102-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/1956-137-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/2024-131-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/2028-145-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                              • memory/2040-144-0x0000000000000000-mapping.dmp