17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

Analysis

max time kernel
90s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Size

512KB
MD5

82fd0018bb2441cfc589124168472840
SHA1

c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA256

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512

bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
SSDEEP

6144:0c47HpZ9ELuQN28GWqDfKCmxS1h8sF5/x:jKpcLuQpgDf+xKh8Kp

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe

Executes dropped EXE 3 IoCs

Processes:

ahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exe

pid process

2640 ahnbpqiqvi.exe
2248 ahnbpqiqvi.exe
3744 ahnbpqiqvi.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
4276	takeown.exe
3648	takeown.exe
1084	takeown.exe
60	icacls.exe
4376	takeown.exe
1420	takeown.exe
780	icacls.exe
2668	takeown.exe
2424	icacls.exe
4600	takeown.exe
2028	takeown.exe
4296	takeown.exe
4120	takeown.exe
4112	icacls.exe
4020	takeown.exe
4276	takeown.exe
3364	icacls.exe
3944	icacls.exe
1600	icacls.exe
1336	icacls.exe
1948	icacls.exe
3760	takeown.exe
3116	takeown.exe
5092	takeown.exe
2508	icacls.exe
3032	icacls.exe
3712	takeown.exe
5012	icacls.exe
4932	takeown.exe
3836	icacls.exe
2372	takeown.exe
4392	icacls.exe
4464	icacls.exe
1960	takeown.exe
4260	icacls.exe
1604	takeown.exe
780	icacls.exe
176	takeown.exe
1860	icacls.exe
4948	takeown.exe
5088	takeown.exe
5108	takeown.exe
4352	takeown.exe
1612	takeown.exe
2260	icacls.exe
3740	takeown.exe
1084	icacls.exe
3460	icacls.exe
3612	takeown.exe
856	takeown.exe
4920	takeown.exe
1568	icacls.exe
1312	icacls.exe
4596	icacls.exe
1704	icacls.exe
656	icacls.exe
2388	icacls.exe
2528	icacls.exe
2508	icacls.exe
1604	takeown.exe
1484	icacls.exe
1432	icacls.exe
2276	takeown.exe
1964	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ahnbpqiqvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ahnbpqiqvi.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
3712	takeown.exe
4244	icacls.exe
3836	icacls.exe
4744	icacls.exe
4704	icacls.exe
1388	takeown.exe
4260	icacls.exe
1432	icacls.exe
3940	takeown.exe
2528	icacls.exe
2508	icacls.exe
4416	takeown.exe
1420	takeown.exe
812	takeown.exe
1312	icacls.exe
4376	takeown.exe
1860	icacls.exe
1568	icacls.exe
4448	icacls.exe
5092	takeown.exe
4948	takeown.exe
4124	icacls.exe
4112	icacls.exe
2824	icacls.exe
2200	icacls.exe
60	icacls.exe
516	icacls.exe
220	icacls.exe
5044	takeown.exe
3648	takeown.exe
2740	takeown.exe
4112	icacls.exe
2276	takeown.exe
1612	takeown.exe
3672	icacls.exe
2372	takeown.exe
4276	takeown.exe
2388	icacls.exe
4596	takeown.exe
1300	takeown.exe
4224	icacls.exe
2276	takeown.exe
3768	takeown.exe
3968	icacls.exe
780	icacls.exe
3720	takeown.exe
3116	takeown.exe
1060	takeown.exe
5064	takeown.exe
2684	icacls.exe
4124	icacls.exe
4464	takeown.exe
1608	takeown.exe
4920	takeown.exe
1064	icacls.exe
1604	takeown.exe
1604	takeown.exe
3896	takeown.exe
4932	takeown.exe
1484	icacls.exe
3364	icacls.exe
2360	takeown.exe
4464	icacls.exe
4436	takeown.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ahnbpqiqvi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ahnbpqiqvi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ahnbpqiqvi.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 whatismyip.everdot.org
34 whatismyip.everdot.org
43 whatismyip.everdot.org
11 whatismyipaddress.com

flow	ioc
15	whatismyip.everdot.org
34	whatismyip.everdot.org
43	whatismyip.everdot.org
11	whatismyipaddress.com

Drops file in System32 directory 4 IoCs

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
File opened for modification	C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe
File opened for modification	C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe
File opened for modification	C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe

Drops file in Program Files directory 64 IoCs

Processes:

ahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwisvi\GoogleUpdateComRegisterShell64.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\twnubklygz\msedge_proxy.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\twnuwflixo\WCChromeNativeMessagingHost.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnufavtsb\AdobeCollabSync.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\twnuhgxkgp\DisabledGoogleUpdate.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuhelsgy\iexplore.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurqyfq\cookie_exporter.exe	ahnbpqiqvi.exe
File opened for modification	C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\twnuurwpeh\AcroLayoutRecognizer.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\notification_helper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurejev\msedge_pwa_launcher.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\twnuurisru\chrome_installer.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\twnuurmsvc\AdobeARMHelper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnushqldf\GoogleUpdateSetup.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\twnuehqzpf\ie_to_edge_stub.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\twnushqljy\setup.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\twnuhtaljn\msedge.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\twnuurhviw\64BitMAPIBroker.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuurmsvi\wow_helper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnufavtsb\AdobeCollabSync.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuurmsvi\wow_helper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurejev\msedge_pwa_launcher.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\twnuhtaljn\msedge.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\twnuurmsvc\AdobeARMHelper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\twnugrejjv\jusched.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\twnuurmsvi\pwahelper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuheldvu\GoogleUpdateCore.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnushqldf\GoogleUpdateSetup.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\twnujyrlsp\AdobeARM.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuijbpmc\msedgewebview2.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\twnucltyum\RdrCEF.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuitasfs\AcroRd32.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\twnuurisru\chrome_installer.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\twnuwflixo\WCChromeNativeMessagingHost.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\twnujrobrk\jaureg.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\twnuitlmej\msinfo32.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\notification_helper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
File opened for modification	C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\twnuhgxkgp\DisabledGoogleUpdate.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuonqzej\ieinstal.exe	ahnbpqiqvi.exe
File opened for modification	C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\twnuurhviw\64BitMAPIBroker.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\identity_helper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\identity_helper.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\twnushqljy\setup.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuitasfs\AcroRd32.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\twnunpbotv\jucheck.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\twnuitlmej\msinfo32.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe	ahnbpqiqvi.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\twnubklygz\msedge_proxy.exe	ahnbpqiqvi.exe

Drops file in Windows directory 4 IoCs

Processes:

ahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exe

description	ioc	process
File opened for modification	C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe
File created	C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
File opened for modification	C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe
File opened for modification	C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg	ahnbpqiqvi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ahnbpqiqvi.exe

pid	process
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe
2640	ahnbpqiqvi.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ahnbpqiqvi.exeahnbpqiqvi.exe

pid process

2640 ahnbpqiqvi.exe
3744 ahnbpqiqvi.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

ahnbpqiqvi.exeahnbpqiqvi.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2640	ahnbpqiqvi.exe
Token: SeDebugPrivilege	3744	ahnbpqiqvi.exe
Token: SeTakeOwnershipPrivilege	1340	takeown.exe
Token: SeTakeOwnershipPrivilege	3108	takeown.exe
Token: SeTakeOwnershipPrivilege	4356	takeown.exe
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	3116	takeown.exe
Token: SeTakeOwnershipPrivilege	4296	takeown.exe
Token: SeTakeOwnershipPrivilege	1388	takeown.exe
Token: SeTakeOwnershipPrivilege	856	takeown.exe
Token: SeTakeOwnershipPrivilege	5044	takeown.exe
Token: SeTakeOwnershipPrivilege	4416	takeown.exe
Token: SeTakeOwnershipPrivilege	3940	takeown.exe
Token: SeTakeOwnershipPrivilege	1612	takeown.exe
Token: SeTakeOwnershipPrivilege	4920	takeown.exe
Token: SeTakeOwnershipPrivilege	1420	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exe

description	pid	process	target process
PID 4972 wrote to memory of 2640	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	ahnbpqiqvi.exe
PID 4972 wrote to memory of 2640	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	ahnbpqiqvi.exe
PID 4972 wrote to memory of 2640	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	ahnbpqiqvi.exe
PID 4972 wrote to memory of 2248	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	ahnbpqiqvi.exe
PID 4972 wrote to memory of 2248	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	ahnbpqiqvi.exe
PID 4972 wrote to memory of 2248	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	ahnbpqiqvi.exe
PID 2640 wrote to memory of 3744	2640	ahnbpqiqvi.exe	ahnbpqiqvi.exe
PID 2640 wrote to memory of 3744	2640	ahnbpqiqvi.exe	ahnbpqiqvi.exe
PID 2640 wrote to memory of 3744	2640	ahnbpqiqvi.exe	ahnbpqiqvi.exe
PID 4972 wrote to memory of 1408	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	cmd.exe
PID 4972 wrote to memory of 1408	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	cmd.exe
PID 4972 wrote to memory of 1408	4972	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe	cmd.exe
PID 2640 wrote to memory of 4080	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 4080	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 4080	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 3032	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 3032	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 3032	2640	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 1604	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1604	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1604	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1064	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 1064	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 1064	3744	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 4556	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 4556	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 4556	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 1948	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 1948	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 1948	2640	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 1456	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1456	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1456	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 4712	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 4712	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 4712	3744	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 1228	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 1228	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 1228	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 1484	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 1484	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 1484	2640	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 1892	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1892	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1892	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 2756	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 2756	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 2756	3744	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 3768	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 3768	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 3768	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 3904	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 3904	2640	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 3904	2640	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 3648	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 3648	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 3648	3744	ahnbpqiqvi.exe	takeown.exe
PID 3744 wrote to memory of 1300	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 1300	3744	ahnbpqiqvi.exe	icacls.exe
PID 3744 wrote to memory of 1300	3744	ahnbpqiqvi.exe	icacls.exe
PID 2640 wrote to memory of 3712	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 3712	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 3712	2640	ahnbpqiqvi.exe	takeown.exe
PID 2640 wrote to memory of 4036	2640	ahnbpqiqvi.exe	icacls.exe

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

Processes:

ahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ahnbpqiqvi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ahnbpqiqvi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahnbpqiqvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ahnbpqiqvi.exe

C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
"C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4972

C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
"C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -
2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2640

C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
"C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -
3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3744

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"
4⤵
- Possible privilege escalation attempt
PID:1604

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1064

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
4⤵
PID:1456

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" /grant Admin:D
4⤵
PID:4712

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"
4⤵
PID:1892

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" /grant Admin:D
4⤵
PID:2756

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3648

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe" /grant Admin:D
4⤵
PID:1300

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
4⤵
- Possible privilege escalation attempt
PID:2668

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /grant Admin:D
4⤵
PID:3588

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
4⤵
- Possible privilege escalation attempt
PID:1960

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:1084

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"
4⤵
PID:3988

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:4124

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
4⤵
PID:3340

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:4260

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5092

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /grant Admin:D
4⤵
PID:2964

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe"
4⤵
PID:2420

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe" /grant Admin:D
4⤵
PID:1608

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe"
4⤵
- Modifies file permissions
PID:1300

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" /grant Admin:D
4⤵
PID:3672

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe"
4⤵
- Modifies file permissions
PID:2360

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe" /grant Admin:D
4⤵
PID:2876

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"
4⤵
- Possible privilege escalation attempt
PID:1084

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /grant Admin:D
4⤵
PID:4328

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1604

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:2424

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"
4⤵
PID:1812

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:4260

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe"
4⤵
- Modifies file permissions
PID:4436

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:2824

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"
4⤵
- Modifies file permissions
PID:2740

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:2200

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe"
4⤵
PID:4040

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:4596

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
4⤵
PID:3556

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:3968

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"
4⤵
PID:1068

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:60

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe"
4⤵
PID:1852

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe" /grant Admin:D
4⤵
PID:2252

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe"
4⤵
PID:3340

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:4392

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe"
4⤵
PID:3396

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:780

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe" /grant Admin:D
4⤵
PID:2520

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:2388

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Admin:D
4⤵
PID:812

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
4⤵
PID:1564

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:516

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
4⤵
- Possible privilege escalation attempt
PID:4120

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
4⤵
PID:1064

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
4⤵
PID:4704

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
4⤵
PID:4264

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4948

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:4112

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
4⤵
- Modifies file permissions
PID:3896

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
4⤵
PID:1568

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
4⤵
PID:4976

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
4⤵
PID:2756

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
4⤵
PID:4240

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
4⤵
PID:4344

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
4⤵
PID:5064

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
4⤵
PID:3916

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
4⤵
- Possible privilege escalation attempt
PID:4352

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
4⤵
PID:1960

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:1860

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
4⤵
PID:2948

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
4⤵
- Possible privilege escalation attempt
PID:3612

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:4704

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe"
4⤵
PID:1856

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe" /grant Admin:D
4⤵
PID:4948

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1432

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
4⤵
PID:4976

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
4⤵
PID:1968

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
4⤵
PID:4296

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe"
4⤵
- Modifies file permissions
PID:2276

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" /grant Admin:D
4⤵
PID:4808

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe"
4⤵
- Modifies file permissions
PID:2372

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe" /grant Admin:D
4⤵
PID:1064

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
4⤵
PID:4076

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:2260

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"
4⤵
PID:4464

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2528

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"
4⤵
PID:4064

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:780

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe"
4⤵
PID:4736

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3836

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe"
4⤵
- Possible privilege escalation attempt
PID:3740

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe" /grant Admin:D
4⤵
PID:4424

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe"
4⤵
PID:3116

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe" /grant Admin:D
4⤵
PID:4760

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe"
4⤵
PID:1452

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe" /grant Admin:D
4⤵
- Modifies file permissions
PID:4744

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4276

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe" /grant Admin:D
4⤵
PID:3332

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe"
4⤵
PID:4536

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
PID:656

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:3640

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe" /grant Admin:D
4⤵
PID:1456

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe"
4⤵
PID:3396

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe" /grant Admin:D
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4112

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe"
4⤵
- Possible privilege escalation attempt
PID:4020

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe" /grant Admin:D
4⤵
PID:3460

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe"
4⤵
PID:3416

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe" /grant Admin:D
4⤵
PID:2616

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"
3⤵
PID:4080

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:3032

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
3⤵
PID:4556

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1948

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1484

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"
3⤵
PID:1228

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe"
3⤵
- Modifies file permissions
PID:3768

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe" /grant Admin:D
3⤵
PID:3904

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3712

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /grant Admin:D
3⤵
PID:4036

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
3⤵
PID:4580

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe" /grant Admin:D
3⤵
PID:3012

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"
3⤵
- Possible privilege escalation attempt
PID:4276

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe" /grant Admin:D
3⤵
PID:2368

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
3⤵
PID:1848

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe" /grant Admin:D
3⤵
PID:3008

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"
3⤵
- Modifies file permissions
PID:4464

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:5012

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe"
3⤵
PID:4944

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe" /grant Admin:D
3⤵
PID:2764

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe"
3⤵
- Possible privilege escalation attempt
PID:5108

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" /grant Admin:D
3⤵
PID:116

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe"
3⤵
- Modifies file permissions
PID:812

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3364

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"
3⤵
PID:3012

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:4244

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe"
3⤵
PID:1996

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1600

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"
3⤵
- Possible privilege escalation attempt
PID:4600

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe"
3⤵
PID:5012

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:780

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"
3⤵
PID:4944

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe" /grant Admin:D
3⤵
PID:4116

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe"
3⤵
- Possible privilege escalation attempt
PID:176

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:2388

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
3⤵
PID:4036

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1964

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"
3⤵
- Possible privilege escalation attempt
PID:3760

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /grant Admin:D
3⤵
PID:4352

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe"
3⤵
PID:1816

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1860

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe"
3⤵
PID:4364

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1704

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe"
3⤵
PID:4144

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe" /grant Admin:D
3⤵
PID:4712

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2508

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe" /grant Admin:D
3⤵
PID:2200

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Admin:D
3⤵
PID:4252

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
3⤵
PID:2360

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
3⤵
PID:4580

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
3⤵
PID:4728

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
3⤵
PID:2800

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
3⤵
- Modifies file permissions
PID:1604

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
3⤵
PID:656

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
3⤵
PID:1312

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4464

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
3⤵
PID:544

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:2684

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4376

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:3460

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
3⤵
- Modifies file permissions
PID:1608

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:220

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
3⤵
- Modifies file permissions
PID:4596

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
3⤵
PID:4608

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
3⤵
PID:628

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
3⤵
PID:548

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
3⤵
PID:1084

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
3⤵
PID:2372

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
3⤵
PID:5004

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:4124

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe"
3⤵
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe" /grant Admin:D
3⤵
PID:4392

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
3⤵
PID:1484

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
3⤵
PID:2300

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:3672

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe"
3⤵
- Modifies file permissions
PID:3720

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" /grant Admin:D
3⤵
PID:2536

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe"
3⤵
PID:5080

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe" /grant Admin:D
3⤵
PID:1068

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
3⤵
- Possible privilege escalation attempt
PID:2028

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:3944

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"
3⤵
- Possible privilege escalation attempt
PID:5088

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:1336

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"
3⤵
PID:5012

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" /grant Admin:D
3⤵
PID:4180

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4932

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1568

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe"
3⤵
PID:2740

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe" /grant Admin:D
3⤵
PID:3656

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe"
3⤵
PID:2108

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe" /grant Admin:D
3⤵
PID:1968

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe"
3⤵
- Modifies file permissions
PID:5064

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe" /grant Admin:D
3⤵
PID:3540

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2276

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe" /grant Admin:D
3⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe"
3⤵
- Possible privilege escalation attempt
PID:2372

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe" /grant Admin:D
3⤵
- Modifies file permissions
PID:4448

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4076

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe" /grant Admin:D
3⤵
PID:1384

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe"
3⤵
PID:3340

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe" /grant Admin:D
3⤵
PID:1880

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe"
3⤵
PID:4592

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe" /grant Admin:D
3⤵
PID:2104

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe"
3⤵
PID:4968

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe" /grant Admin:D
3⤵
- Possible privilege escalation attempt
PID:2508

C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
"C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System policy modification
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0ead72f8a7146873391c71824000c5e1

SHA1
20be145404007b2033768096ac43ebbc29c526fd

SHA256
24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

SHA512
1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

Download Submit
C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0f2dfe0f3377a5fbc35ea259522b3b3c

SHA1
251591bcba6f2120e07a7e77c5023a586240376a

SHA256
6b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc

SHA512
7795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f

Download Submit
C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
Filesize
512KB

MD5
82fd0018bb2441cfc589124168472840

SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37

SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0ead72f8a7146873391c71824000c5e1

SHA1
20be145404007b2033768096ac43ebbc29c526fd

SHA256
24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

SHA512
1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0f2dfe0f3377a5fbc35ea259522b3b3c

SHA1
251591bcba6f2120e07a7e77c5023a586240376a

SHA256
6b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc

SHA512
7795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0ead72f8a7146873391c71824000c5e1

SHA1
20be145404007b2033768096ac43ebbc29c526fd

SHA256
24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

SHA512
1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

Download Submit
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0ead72f8a7146873391c71824000c5e1

SHA1
20be145404007b2033768096ac43ebbc29c526fd

SHA256
24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

SHA512
1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

Download Submit
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0f2dfe0f3377a5fbc35ea259522b3b3c

SHA1
251591bcba6f2120e07a7e77c5023a586240376a

SHA256
6b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc

SHA512
7795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f

Download Submit
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
0ead72f8a7146873391c71824000c5e1

SHA1
20be145404007b2033768096ac43ebbc29c526fd

SHA256
24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

SHA512
1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

Download Submit
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
Filesize
32B

MD5
4128509cbca080cd31519ceed504d1c8

SHA1
dc874088758a3821282fa5a9ae00fd0e368409e0

SHA256
f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

SHA512
8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

Download Submit
memory/116-201-0x0000000000000000-mapping.dmp

Download
memory/812-204-0x0000000000000000-mapping.dmp

Download
memory/1064-163-0x0000000000000000-mapping.dmp

Download
memory/1084-210-0x0000000000000000-mapping.dmp

Download
memory/1084-183-0x0000000000000000-mapping.dmp

Download
memory/1228-168-0x0000000000000000-mapping.dmp

Download
memory/1300-175-0x0000000000000000-mapping.dmp

Download
memory/1300-202-0x0000000000000000-mapping.dmp

Download
memory/1312-217-0x0000000000000000-mapping.dmp

Download
memory/1408-159-0x0000000000000000-mapping.dmp

Download
memory/1456-166-0x0000000000000000-mapping.dmp

Download
memory/1484-169-0x0000000000000000-mapping.dmp

Download
memory/1600-213-0x0000000000000000-mapping.dmp

Download
memory/1604-214-0x0000000000000000-mapping.dmp

Download
memory/1604-162-0x0000000000000000-mapping.dmp

Download
memory/1608-199-0x0000000000000000-mapping.dmp

Download
memory/1812-218-0x0000000000000000-mapping.dmp

Download
memory/1848-188-0x0000000000000000-mapping.dmp

Download
memory/1892-170-0x0000000000000000-mapping.dmp

Download
memory/1948-165-0x0000000000000000-mapping.dmp

Download
memory/1960-182-0x0000000000000000-mapping.dmp

Download
memory/1996-212-0x0000000000000000-mapping.dmp

Download
memory/2248-135-0x0000000000000000-mapping.dmp

Download
memory/2360-206-0x0000000000000000-mapping.dmp

Download
memory/2368-185-0x0000000000000000-mapping.dmp

Download
memory/2420-198-0x0000000000000000-mapping.dmp

Download
memory/2424-215-0x0000000000000000-mapping.dmp

Download
memory/2640-132-0x0000000000000000-mapping.dmp

Download
memory/2668-178-0x0000000000000000-mapping.dmp

Download
memory/2756-171-0x0000000000000000-mapping.dmp

Download
memory/2764-197-0x0000000000000000-mapping.dmp

Download
memory/2876-207-0x0000000000000000-mapping.dmp

Download
memory/2964-195-0x0000000000000000-mapping.dmp

Download
memory/3008-189-0x0000000000000000-mapping.dmp

Download
memory/3012-208-0x0000000000000000-mapping.dmp

Download
memory/3012-181-0x0000000000000000-mapping.dmp

Download
memory/3032-161-0x0000000000000000-mapping.dmp

Download
memory/3340-190-0x0000000000000000-mapping.dmp

Download
memory/3364-205-0x0000000000000000-mapping.dmp

Download
memory/3588-179-0x0000000000000000-mapping.dmp

Download
memory/3648-174-0x0000000000000000-mapping.dmp

Download
memory/3672-203-0x0000000000000000-mapping.dmp

Download
memory/3712-176-0x0000000000000000-mapping.dmp

Download
memory/3744-152-0x0000000000000000-mapping.dmp

Download
memory/3768-172-0x0000000000000000-mapping.dmp

Download
memory/3904-173-0x0000000000000000-mapping.dmp

Download
memory/3988-186-0x0000000000000000-mapping.dmp

Download
memory/4036-177-0x0000000000000000-mapping.dmp

Download
memory/4080-160-0x0000000000000000-mapping.dmp

Download
memory/4124-187-0x0000000000000000-mapping.dmp

Download
memory/4244-209-0x0000000000000000-mapping.dmp

Download
memory/4260-191-0x0000000000000000-mapping.dmp

Download
memory/4260-219-0x0000000000000000-mapping.dmp

Download
memory/4276-184-0x0000000000000000-mapping.dmp

Download
memory/4328-211-0x0000000000000000-mapping.dmp

Download
memory/4464-192-0x0000000000000000-mapping.dmp

Download
memory/4556-164-0x0000000000000000-mapping.dmp

Download
memory/4580-180-0x0000000000000000-mapping.dmp

Download
memory/4600-216-0x0000000000000000-mapping.dmp

Download
memory/4712-167-0x0000000000000000-mapping.dmp

Download
memory/4944-196-0x0000000000000000-mapping.dmp

Download
memory/5012-193-0x0000000000000000-mapping.dmp

Download
memory/5092-194-0x0000000000000000-mapping.dmp

Download
memory/5108-200-0x0000000000000000-mapping.dmp

Download