Analysis
-
max time kernel
150s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 17:57
Static task
static1
Behavioral task
behavioral1
Sample
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Resource
win7-20220812-en
General
-
Target
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
-
Size
512KB
-
MD5
82fd0018bb2441cfc589124168472840
-
SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37
-
SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
-
SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
SSDEEP
6144:0c47HpZ9ELuQN28GWqDfKCmxS1h8sF5/x:jKpcLuQpgDf+xKh8Kp
Malware Config
Signatures
-
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exezetehvgpwf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe -
Executes dropped EXE 3 IoCs
Processes:
zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exepid process 1396 zetehvgpwf.exe 1232 zetehvgpwf.exe 268 zetehvgpwf.exe -
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 1012 icacls.exe 1920 icacls.exe 1872 takeown.exe 1608 takeown.exe 1556 icacls.exe 1688 icacls.exe 1468 takeown.exe 1256 icacls.exe 1656 icacls.exe 1920 icacls.exe 2032 takeown.exe 864 takeown.exe 1468 icacls.exe 688 takeown.exe 272 takeown.exe 1748 takeown.exe 1068 takeown.exe 328 icacls.exe 2004 takeown.exe 1524 takeown.exe 1224 icacls.exe 564 takeown.exe 2036 icacls.exe 688 icacls.exe 1636 icacls.exe 920 icacls.exe 1436 takeown.exe 1524 takeown.exe 1820 icacls.exe 1972 icacls.exe 616 icacls.exe 960 icacls.exe 432 takeown.exe 1388 takeown.exe 1400 icacls.exe 2032 takeown.exe 880 icacls.exe 1808 takeown.exe 432 icacls.exe 1324 icacls.exe 960 takeown.exe 1300 takeown.exe 1332 icacls.exe 1252 takeown.exe 1448 takeown.exe 308 icacls.exe 1204 takeown.exe 1820 icacls.exe 564 icacls.exe 676 icacls.exe 1012 takeown.exe 240 icacls.exe 1204 takeown.exe 1012 takeown.exe 1204 takeown.exe 468 takeown.exe 836 icacls.exe 1528 icacls.exe 1304 icacls.exe 2028 takeown.exe 1400 icacls.exe 1928 icacls.exe 652 takeown.exe 556 takeown.exe -
Loads dropped DLL 5 IoCs
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exepid process 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe 1232 zetehvgpwf.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 1928 takeown.exe 1708 icacls.exe 904 icacls.exe 1068 takeown.exe 1432 takeown.exe 1528 icacls.exe 1748 takeown.exe 1956 icacls.exe 1980 icacls.exe 1636 icacls.exe 1692 icacls.exe 652 takeown.exe 1820 icacls.exe 1972 takeown.exe 1448 takeown.exe 240 icacls.exe 1324 takeown.exe 1224 icacls.exe 696 takeown.exe 1956 icacls.exe 1468 icacls.exe 308 icacls.exe 1252 icacls.exe 576 takeown.exe 984 takeown.exe 2004 icacls.exe 272 takeown.exe 1012 takeown.exe 688 icacls.exe 1692 icacls.exe 1176 takeown.exe 1012 takeown.exe 1684 takeown.exe 1656 icacls.exe 1980 icacls.exe 1908 takeown.exe 2040 takeown.exe 1068 icacls.exe 316 icacls.exe 616 takeown.exe 1284 icacls.exe 1256 icacls.exe 876 icacls.exe 1452 takeown.exe 1432 takeown.exe 1808 takeown.exe 432 takeown.exe 1920 icacls.exe 1084 icacls.exe 1524 takeown.exe 1332 icacls.exe 1708 icacls.exe 636 takeown.exe 652 icacls.exe 328 icacls.exe 1864 takeown.exe 876 takeown.exe 1240 icacls.exe 676 takeown.exe 1540 takeown.exe 468 takeown.exe 700 takeown.exe 960 takeown.exe 1432 icacls.exe -
Processes:
zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zetehvgpwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zetehvgpwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zetehvgpwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 whatismyipaddress.com 13 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exezetehvgpwf.exedescription ioc process File created C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe File opened for modification C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe File opened for modification C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe File opened for modification C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe -
Drops file in Program Files directory 64 IoCs
Processes:
zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exedescription ioc process File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnufavtsb\AdobeCollabSync.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DW\nqhugsneoo\DW20.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\twnuitlmej\msinfo32.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\twnuyaljbr\Wkconv.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnubgfszu\A3DUtility.exe zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnuitasfs\AcroRd32.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\Adobe AIR Application Installer.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurqhuq\Adobe AIR Updater.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\twnusvjeeo\mip.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\twnuurisru\chrome_installer.exe zetehvgpwf.exe File created C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnuitasfs\AcroRd32.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhualcnij\MSOXMLED.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\twnubbiwvy\ODeploy.exe zetehvgpwf.exe File created C:\Program Files (x86)\Internet Explorer\twnuhelsgy\iexplore.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\twnuitlmej\msinfo32.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\twnubaxtgs\Oarpmany.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\twnubaxtgs\Oarpmany.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe zetehvgpwf.exe File created C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\twnuurahvm\SC_Reader.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhualcnij\MSOXMLED.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuheldvu\GoogleUpdateCore.exe zetehvgpwf.exe File created C:\Program Files (x86)\Microsoft Office\Office14\nqhupufdtx\ACCICONS.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\twnushqldy\Setup.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\Adobe AIR Application Installer.exe zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\twnuurahvm\SC_Reader.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurqhuq\Adobe AIR Updater.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhupufdtj\MSOICONS.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\twnuyaljbr\Wkconv.exe zetehvgpwf.exe File created C:\Program Files (x86)\Internet Explorer\twnuhelsgy\iexplore.exe zetehvgpwf.exe File opened for modification C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\nqhuitkepi\EQNEDT32.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\twnusvjeeo\mip.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\nqhuitkepi\EQNEDT32.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\twnuhgxkgp\DisabledGoogleUpdate.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe zetehvgpwf.exe File created C:\Program Files (x86)\Internet Explorer\twnuonqzej\ieinstal.exe zetehvgpwf.exe File created C:\Program Files (x86)\Microsoft Office\Office14\twnufavtdx\BCSSync.exe zetehvgpwf.exe File opened for modification C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\twnuurqhuq\Adobe_Updater.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\airappinstaller.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwisvi\GoogleUpdateComRegisterShell64.exe zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnubgfszu\A3DUtility.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\twnuurqhuq\Adobe_Updater.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DW\nqhugsneoo\DW20.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\nqhuxbcdtg\LICLUA.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe zetehvgpwf.exe File created C:\Program Files (x86)\Microsoft Office\Office14\nqhupufdtx\ACCICONS.EXE zetehvgpwf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\twnufavtsb\AdobeCollabSync.exe zetehvgpwf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\twnushqldy\Setup.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuheldvu\GoogleUpdateCore.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe zetehvgpwf.exe File opened for modification C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe zetehvgpwf.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe zetehvgpwf.exe File created C:\Program Files (x86)\helojpststpvxegsofrovytz.dcd 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\twnuurisru\airappinstaller.exe zetehvgpwf.exe -
Drops file in Windows directory 4 IoCs
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exezetehvgpwf.exedescription ioc process File created C:\Windows\helojpststpvxegsofrovytz.dcd 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe File opened for modification C:\Windows\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe File opened for modification C:\Windows\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe File opened for modification C:\Windows\helojpststpvxegsofrovytz.dcd zetehvgpwf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
zetehvgpwf.exepid process 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe 1232 zetehvgpwf.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
zetehvgpwf.exezetehvgpwf.exepid process 1232 zetehvgpwf.exe 268 zetehvgpwf.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
zetehvgpwf.exezetehvgpwf.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1232 zetehvgpwf.exe Token: SeDebugPrivilege 268 zetehvgpwf.exe Token: SeTakeOwnershipPrivilege 576 takeown.exe Token: SeTakeOwnershipPrivilege 564 takeown.exe Token: SeTakeOwnershipPrivilege 700 takeown.exe Token: SeTakeOwnershipPrivilege 696 takeown.exe Token: SeTakeOwnershipPrivilege 2032 takeown.exe Token: SeTakeOwnershipPrivilege 1908 takeown.exe Token: SeTakeOwnershipPrivilege 1748 takeown.exe Token: SeTakeOwnershipPrivilege 1712 takeown.exe Token: SeTakeOwnershipPrivilege 1496 takeown.exe Token: SeTakeOwnershipPrivilege 580 takeown.exe Token: SeTakeOwnershipPrivilege 1432 takeown.exe Token: SeTakeOwnershipPrivilege 1864 takeown.exe Token: SeTakeOwnershipPrivilege 432 takeown.exe Token: SeTakeOwnershipPrivilege 616 takeown.exe Token: SeTakeOwnershipPrivilege 1720 takeown.exe Token: SeTakeOwnershipPrivilege 1012 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exezetehvgpwf.exezetehvgpwf.exedescription pid process target process PID 912 wrote to memory of 1396 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 912 wrote to memory of 1396 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 912 wrote to memory of 1396 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 912 wrote to memory of 1396 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 912 wrote to memory of 1232 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 912 wrote to memory of 1232 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 912 wrote to memory of 1232 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 912 wrote to memory of 1232 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe zetehvgpwf.exe PID 1232 wrote to memory of 268 1232 zetehvgpwf.exe zetehvgpwf.exe PID 1232 wrote to memory of 268 1232 zetehvgpwf.exe zetehvgpwf.exe PID 1232 wrote to memory of 268 1232 zetehvgpwf.exe zetehvgpwf.exe PID 1232 wrote to memory of 268 1232 zetehvgpwf.exe zetehvgpwf.exe PID 912 wrote to memory of 1784 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe cmd.exe PID 912 wrote to memory of 1784 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe cmd.exe PID 912 wrote to memory of 1784 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe cmd.exe PID 912 wrote to memory of 1784 912 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe cmd.exe PID 268 wrote to memory of 1300 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1300 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1300 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1300 268 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1808 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1808 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1808 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1808 1232 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1696 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 1696 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 1696 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 1696 268 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 240 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 240 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 240 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 240 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 1932 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1932 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1932 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1932 1232 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1928 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1928 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1928 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 1928 268 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1528 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 1528 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 1528 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 1528 1232 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 960 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 960 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 960 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 960 268 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 556 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 556 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 556 1232 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 556 1232 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 468 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 468 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 468 268 zetehvgpwf.exe takeown.exe PID 268 wrote to memory of 468 268 zetehvgpwf.exe takeown.exe PID 1232 wrote to memory of 1468 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 1468 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 1468 1232 zetehvgpwf.exe icacls.exe PID 1232 wrote to memory of 1468 1232 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 1956 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 1956 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 1956 268 zetehvgpwf.exe icacls.exe PID 268 wrote to memory of 1956 268 zetehvgpwf.exe icacls.exe -
System policy modification 1 TTPs 8 IoCs
Processes:
zetehvgpwf.exezetehvgpwf.exezetehvgpwf.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zetehvgpwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zetehvgpwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zetehvgpwf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zetehvgpwf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe"C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe"C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe"C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exe" -3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\A3DUtility.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroBroker.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\Eula.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\LogTransport2.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Reader\reader_sl.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\Updater6\Adobe_Updater.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe AIR\Versions\1.0\template.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DW20.EXE" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\DW\DWTRIG20.EXE" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe"3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\mip.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\pipanel.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe"3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\ink\TabTip32.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe"3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\LICLUA.EXE" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Oarpmany.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{89BA9AFB-5EEA-4B19-9C5E-CEDE048A6D36}\chrome_installer.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\1033\ONELEV.EXE" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\ACCICONS.EXE" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\BCSSync.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CLVIEW.EXE" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft Office\Office14\CNFNOT32.EXE" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Program Files (x86)\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Program Files (x86)\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Program Files (x86)\helojpststpvxegsofrovytz.dcdFilesize
32B
MD537af78e55d38cba5679c4e1d816f9be2
SHA137fef31bf2abc46a72b5bb632bc5be75397bdfd4
SHA25680aadb2c8a0590379f95bf76ab0c976453709889787e4dcfd5fe766bf900cb9d
SHA512844dff6c0d2c3c93764ab1cd7b9ec254484faa5a9a9e99eb867018ee00a9ab481230f51b122369be76a1d973b124cbf5b8207c542ad68d9d789edd58e5222f6b
-
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Users\Admin\AppData\Local\Temp\helojpststpvxegsofrovytz.dcdFilesize
32B
MD5bab461cb0c367455906bd3c65bc4cd01
SHA1eb80e781c79f16d946af5412378dee1e1aa707d6
SHA256673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014
SHA512ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386
-
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Users\Admin\AppData\Local\helojpststpvxegsofrovytz.dcdFilesize
32B
MD537af78e55d38cba5679c4e1d816f9be2
SHA137fef31bf2abc46a72b5bb632bc5be75397bdfd4
SHA25680aadb2c8a0590379f95bf76ab0c976453709889787e4dcfd5fe766bf900cb9d
SHA512844dff6c0d2c3c93764ab1cd7b9ec254484faa5a9a9e99eb867018ee00a9ab481230f51b122369be76a1d973b124cbf5b8207c542ad68d9d789edd58e5222f6b
-
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Windows\SysWOW64\helojpststpvxegsofrovytz.dcdMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Windows\helojpststpvxegsofrovytz.dcdFilesize
32B
MD578be5b937ba933f6c04af5e8c6f7295f
SHA139ce543559962f8ffadf9780bf4c70dc5f0bd40e
SHA2567b673dae2457a597ba5ef4474e2c13391d1b1951a425a12fae429f4d213e3edf
SHA512dbf7816ea0ff452542c04280d600ee57c6affdd2bdef9b82a5a07930b488119fd06300335418963b54cd53af5f4e0e8cab781192fba646e440479d166b508aad
-
C:\Windows\helojpststpvxegsofrovytz.dcdFilesize
32B
MD5bab461cb0c367455906bd3c65bc4cd01
SHA1eb80e781c79f16d946af5412378dee1e1aa707d6
SHA256673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014
SHA512ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386
-
C:\Windows\helojpststpvxegsofrovytz.dcdFilesize
32B
MD5bab461cb0c367455906bd3c65bc4cd01
SHA1eb80e781c79f16d946af5412378dee1e1aa707d6
SHA256673f09480d2c400d5d4ef009450790a24eb2492ac4868ea6412f68fb3d2fb014
SHA512ac850ab8403e2e027d5257756687b64c03fe83b0a79e59683bf64d1e5a78d21cdf66a9b923c945d8c2afe5c090688059b77e2a337441f28abedec2dc880ad386
-
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
\Users\Admin\AppData\Local\Temp\zetehvgpwf.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
memory/240-94-0x0000000000000000-mapping.dmp
-
memory/268-72-0x0000000000000000-mapping.dmp
-
memory/304-130-0x0000000000000000-mapping.dmp
-
memory/308-117-0x0000000000000000-mapping.dmp
-
memory/432-120-0x0000000000000000-mapping.dmp
-
memory/432-133-0x0000000000000000-mapping.dmp
-
memory/468-100-0x0000000000000000-mapping.dmp
-
memory/552-140-0x0000000000000000-mapping.dmp
-
memory/556-99-0x0000000000000000-mapping.dmp
-
memory/576-143-0x0000000000000000-mapping.dmp
-
memory/580-135-0x0000000000000000-mapping.dmp
-
memory/652-123-0x0000000000000000-mapping.dmp
-
memory/676-122-0x0000000000000000-mapping.dmp
-
memory/816-105-0x0000000000000000-mapping.dmp
-
memory/876-126-0x0000000000000000-mapping.dmp
-
memory/876-150-0x0000000000000000-mapping.dmp
-
memory/876-112-0x0000000000000000-mapping.dmp
-
memory/904-118-0x0000000000000000-mapping.dmp
-
memory/912-54-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB
-
memory/960-98-0x0000000000000000-mapping.dmp
-
memory/1052-111-0x0000000000000000-mapping.dmp
-
memory/1176-119-0x0000000000000000-mapping.dmp
-
memory/1232-62-0x0000000000000000-mapping.dmp
-
memory/1252-141-0x0000000000000000-mapping.dmp
-
memory/1252-129-0x0000000000000000-mapping.dmp
-
memory/1256-146-0x0000000000000000-mapping.dmp
-
memory/1256-121-0x0000000000000000-mapping.dmp
-
memory/1284-109-0x0000000000000000-mapping.dmp
-
memory/1284-132-0x0000000000000000-mapping.dmp
-
memory/1300-91-0x0000000000000000-mapping.dmp
-
memory/1304-136-0x0000000000000000-mapping.dmp
-
memory/1312-114-0x0000000000000000-mapping.dmp
-
memory/1324-139-0x0000000000000000-mapping.dmp
-
memory/1332-138-0x0000000000000000-mapping.dmp
-
memory/1352-134-0x0000000000000000-mapping.dmp
-
memory/1388-127-0x0000000000000000-mapping.dmp
-
memory/1396-57-0x0000000000000000-mapping.dmp
-
memory/1400-106-0x0000000000000000-mapping.dmp
-
memory/1468-101-0x0000000000000000-mapping.dmp
-
memory/1468-124-0x0000000000000000-mapping.dmp
-
memory/1496-148-0x0000000000000000-mapping.dmp
-
memory/1528-97-0x0000000000000000-mapping.dmp
-
memory/1552-107-0x0000000000000000-mapping.dmp
-
memory/1660-147-0x0000000000000000-mapping.dmp
-
memory/1684-142-0x0000000000000000-mapping.dmp
-
memory/1684-103-0x0000000000000000-mapping.dmp
-
memory/1696-115-0x0000000000000000-mapping.dmp
-
memory/1696-93-0x0000000000000000-mapping.dmp
-
memory/1708-104-0x0000000000000000-mapping.dmp
-
memory/1712-110-0x0000000000000000-mapping.dmp
-
memory/1748-116-0x0000000000000000-mapping.dmp
-
memory/1784-90-0x0000000000000000-mapping.dmp
-
memory/1808-128-0x0000000000000000-mapping.dmp
-
memory/1808-92-0x0000000000000000-mapping.dmp
-
memory/1820-125-0x0000000000000000-mapping.dmp
-
memory/1908-149-0x0000000000000000-mapping.dmp
-
memory/1908-113-0x0000000000000000-mapping.dmp
-
memory/1928-108-0x0000000000000000-mapping.dmp
-
memory/1928-96-0x0000000000000000-mapping.dmp
-
memory/1932-95-0x0000000000000000-mapping.dmp
-
memory/1956-102-0x0000000000000000-mapping.dmp
-
memory/1956-137-0x0000000000000000-mapping.dmp
-
memory/2024-131-0x0000000000000000-mapping.dmp
-
memory/2028-145-0x0000000000000000-mapping.dmp
-
memory/2040-144-0x0000000000000000-mapping.dmp