Analysis
-
max time kernel
90s -
max time network
79s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 17:57
Static task
static1
Behavioral task
behavioral1
Sample
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
Resource
win7-20220812-en
General
-
Target
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
-
Size
512KB
-
MD5
82fd0018bb2441cfc589124168472840
-
SHA1
c389e4cd7981f7236f19f357f5ba61901d52dc37
-
SHA256
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
-
SHA512
bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
SSDEEP
6144:0c47HpZ9ELuQN28GWqDfKCmxS1h8sF5/x:jKpcLuQpgDf+xKh8Kp
Malware Config
Signatures
-
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe -
Executes dropped EXE 3 IoCs
Processes:
ahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exepid process 2640 ahnbpqiqvi.exe 2248 ahnbpqiqvi.exe 3744 ahnbpqiqvi.exe -
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 4276 takeown.exe 3648 takeown.exe 1084 takeown.exe 60 icacls.exe 4376 takeown.exe 1420 takeown.exe 780 icacls.exe 2668 takeown.exe 2424 icacls.exe 4600 takeown.exe 2028 takeown.exe 4296 takeown.exe 4120 takeown.exe 4112 icacls.exe 4020 takeown.exe 4276 takeown.exe 3364 icacls.exe 3944 icacls.exe 1600 icacls.exe 1336 icacls.exe 1948 icacls.exe 3760 takeown.exe 3116 takeown.exe 5092 takeown.exe 2508 icacls.exe 3032 icacls.exe 3712 takeown.exe 5012 icacls.exe 4932 takeown.exe 3836 icacls.exe 2372 takeown.exe 4392 icacls.exe 4464 icacls.exe 1960 takeown.exe 4260 icacls.exe 1604 takeown.exe 780 icacls.exe 176 takeown.exe 1860 icacls.exe 4948 takeown.exe 5088 takeown.exe 5108 takeown.exe 4352 takeown.exe 1612 takeown.exe 2260 icacls.exe 3740 takeown.exe 1084 icacls.exe 3460 icacls.exe 3612 takeown.exe 856 takeown.exe 4920 takeown.exe 1568 icacls.exe 1312 icacls.exe 4596 icacls.exe 1704 icacls.exe 656 icacls.exe 2388 icacls.exe 2528 icacls.exe 2508 icacls.exe 1604 takeown.exe 1484 icacls.exe 1432 icacls.exe 2276 takeown.exe 1964 icacls.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ahnbpqiqvi.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ahnbpqiqvi.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 3712 takeown.exe 4244 icacls.exe 3836 icacls.exe 4744 icacls.exe 4704 icacls.exe 1388 takeown.exe 4260 icacls.exe 1432 icacls.exe 3940 takeown.exe 2528 icacls.exe 2508 icacls.exe 4416 takeown.exe 1420 takeown.exe 812 takeown.exe 1312 icacls.exe 4376 takeown.exe 1860 icacls.exe 1568 icacls.exe 4448 icacls.exe 5092 takeown.exe 4948 takeown.exe 4124 icacls.exe 4112 icacls.exe 2824 icacls.exe 2200 icacls.exe 60 icacls.exe 516 icacls.exe 220 icacls.exe 5044 takeown.exe 3648 takeown.exe 2740 takeown.exe 4112 icacls.exe 2276 takeown.exe 1612 takeown.exe 3672 icacls.exe 2372 takeown.exe 4276 takeown.exe 2388 icacls.exe 4596 takeown.exe 1300 takeown.exe 4224 icacls.exe 2276 takeown.exe 3768 takeown.exe 3968 icacls.exe 780 icacls.exe 3720 takeown.exe 3116 takeown.exe 1060 takeown.exe 5064 takeown.exe 2684 icacls.exe 4124 icacls.exe 4464 takeown.exe 1608 takeown.exe 4920 takeown.exe 1064 icacls.exe 1604 takeown.exe 1604 takeown.exe 3896 takeown.exe 4932 takeown.exe 1484 icacls.exe 3364 icacls.exe 2360 takeown.exe 4464 icacls.exe 4436 takeown.exe -
Processes:
ahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ahnbpqiqvi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ahnbpqiqvi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ahnbpqiqvi.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 whatismyip.everdot.org 34 whatismyip.everdot.org 43 whatismyip.everdot.org 11 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exedescription ioc process File created C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe File opened for modification C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe File opened for modification C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe File opened for modification C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exedescription ioc process File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwisvi\GoogleUpdateComRegisterShell64.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\twnubklygz\msedge_proxy.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\twnuwflixo\WCChromeNativeMessagingHost.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnufavtsb\AdobeCollabSync.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\twnuhgxkgp\DisabledGoogleUpdate.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Internet Explorer\twnuhelsgy\iexplore.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurqyfq\cookie_exporter.exe ahnbpqiqvi.exe File opened for modification C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\twnuurwpeh\AcroLayoutRecognizer.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\notification_helper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurejev\msedge_pwa_launcher.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\twnuurisru\chrome_installer.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\twnuurmsvc\AdobeARMHelper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnushqldf\GoogleUpdateSetup.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\twnuehqzpf\ie_to_edge_stub.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\twnushqljy\setup.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\twnuhtaljn\msedge.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\twnuurhviw\64BitMAPIBroker.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuurmsvi\wow_helper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuhgxkgp\GoogleUpdate.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnufavtsb\AdobeCollabSync.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuurmsvi\wow_helper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurejev\msedge_pwa_launcher.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\twnuhtaljn\msedge.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\twnuurmsvc\AdobeARMHelper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\twnugrejjv\jusched.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\twnuurmsvi\pwahelper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuheldvu\GoogleUpdateCore.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnushqldf\GoogleUpdateSetup.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\twnujyrlsp\AdobeARM.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurikeb\GoogleCrashHandler.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuijbpmc\msedgewebview2.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\twnucltyum\RdrCEF.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuitasfs\AcroRd32.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnuurhviw\GoogleUpdateBroker.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\twnuurisru\chrome_installer.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\twnuurisru\chrome_installer.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\twnuwflixo\WCChromeNativeMessagingHost.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\twnujrobrk\jaureg.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\twnuitlmej\msinfo32.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\notification_helper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe File opened for modification C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnukwolce\GoogleCrashHandler64.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\twnuhgxkgp\DisabledGoogleUpdate.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Internet Explorer\twnuonqzej\ieinstal.exe ahnbpqiqvi.exe File opened for modification C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\twnuurhviw\64BitMAPIBroker.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\identity_helper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\twnuurmsvi\identity_helper.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\twnushqljy\setup.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\twnuitasfs\AcroRd32.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\twnugaxtvy\GoogleUpdateOnDemand.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\twnunpbotv\jucheck.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\twnuitlmej\msinfo32.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Internet Explorer\twnuovqbnp\ielowutil.exe ahnbpqiqvi.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\twnubklygz\msedge_proxy.exe ahnbpqiqvi.exe -
Drops file in Windows directory 4 IoCs
Processes:
ahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exedescription ioc process File opened for modification C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe File created C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe File opened for modification C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe File opened for modification C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg ahnbpqiqvi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ahnbpqiqvi.exepid process 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe 2640 ahnbpqiqvi.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
ahnbpqiqvi.exeahnbpqiqvi.exepid process 2640 ahnbpqiqvi.exe 3744 ahnbpqiqvi.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
ahnbpqiqvi.exeahnbpqiqvi.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2640 ahnbpqiqvi.exe Token: SeDebugPrivilege 3744 ahnbpqiqvi.exe Token: SeTakeOwnershipPrivilege 1340 takeown.exe Token: SeTakeOwnershipPrivilege 3108 takeown.exe Token: SeTakeOwnershipPrivilege 4356 takeown.exe Token: SeTakeOwnershipPrivilege 2848 takeown.exe Token: SeTakeOwnershipPrivilege 3116 takeown.exe Token: SeTakeOwnershipPrivilege 4296 takeown.exe Token: SeTakeOwnershipPrivilege 1388 takeown.exe Token: SeTakeOwnershipPrivilege 856 takeown.exe Token: SeTakeOwnershipPrivilege 5044 takeown.exe Token: SeTakeOwnershipPrivilege 4416 takeown.exe Token: SeTakeOwnershipPrivilege 3940 takeown.exe Token: SeTakeOwnershipPrivilege 1612 takeown.exe Token: SeTakeOwnershipPrivilege 4920 takeown.exe Token: SeTakeOwnershipPrivilege 1420 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exeahnbpqiqvi.exeahnbpqiqvi.exedescription pid process target process PID 4972 wrote to memory of 2640 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe ahnbpqiqvi.exe PID 4972 wrote to memory of 2640 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe ahnbpqiqvi.exe PID 4972 wrote to memory of 2640 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe ahnbpqiqvi.exe PID 4972 wrote to memory of 2248 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe ahnbpqiqvi.exe PID 4972 wrote to memory of 2248 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe ahnbpqiqvi.exe PID 4972 wrote to memory of 2248 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe ahnbpqiqvi.exe PID 2640 wrote to memory of 3744 2640 ahnbpqiqvi.exe ahnbpqiqvi.exe PID 2640 wrote to memory of 3744 2640 ahnbpqiqvi.exe ahnbpqiqvi.exe PID 2640 wrote to memory of 3744 2640 ahnbpqiqvi.exe ahnbpqiqvi.exe PID 4972 wrote to memory of 1408 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe cmd.exe PID 4972 wrote to memory of 1408 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe cmd.exe PID 4972 wrote to memory of 1408 4972 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe cmd.exe PID 2640 wrote to memory of 4080 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 4080 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 4080 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 3032 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 3032 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 3032 2640 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 1604 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1604 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1604 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1064 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 1064 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 1064 3744 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 4556 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 4556 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 4556 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 1948 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 1948 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 1948 2640 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 1456 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1456 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1456 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 4712 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 4712 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 4712 3744 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 1228 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 1228 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 1228 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 1484 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 1484 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 1484 2640 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 1892 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1892 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1892 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 2756 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 2756 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 2756 3744 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 3768 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 3768 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 3768 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 3904 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 3904 2640 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 3904 2640 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 3648 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 3648 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 3648 3744 ahnbpqiqvi.exe takeown.exe PID 3744 wrote to memory of 1300 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 1300 3744 ahnbpqiqvi.exe icacls.exe PID 3744 wrote to memory of 1300 3744 ahnbpqiqvi.exe icacls.exe PID 2640 wrote to memory of 3712 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 3712 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 3712 2640 ahnbpqiqvi.exe takeown.exe PID 2640 wrote to memory of 4036 2640 ahnbpqiqvi.exe icacls.exe -
System policy modification 1 TTPs 8 IoCs
Processes:
ahnbpqiqvi.exeahnbpqiqvi.exeahnbpqiqvi.exe17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ahnbpqiqvi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ahnbpqiqvi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ahnbpqiqvi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ahnbpqiqvi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe"C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe"C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe" /grant Admin:D4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe" /grant Admin:D4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe"4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe"4⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe" /grant Admin:D4⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe"3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe" /grant Admin:D3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe" /grant Admin:D3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe"3⤵
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe" /grant Admin:D3⤵
- Possible privilege escalation attempt
-
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe"C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50ead72f8a7146873391c71824000c5e1
SHA120be145404007b2033768096ac43ebbc29c526fd
SHA25624235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373
SHA5121cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513
-
C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50f2dfe0f3377a5fbc35ea259522b3b3c
SHA1251591bcba6f2120e07a7e77c5023a586240376a
SHA2566b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc
SHA5127795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f
-
C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exeFilesize
512KB
MD582fd0018bb2441cfc589124168472840
SHA1c389e4cd7981f7236f19f357f5ba61901d52dc37
SHA25617bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9
SHA512bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff
-
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50ead72f8a7146873391c71824000c5e1
SHA120be145404007b2033768096ac43ebbc29c526fd
SHA25624235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373
SHA5121cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513
-
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50f2dfe0f3377a5fbc35ea259522b3b3c
SHA1251591bcba6f2120e07a7e77c5023a586240376a
SHA2566b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc
SHA5127795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f
-
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50ead72f8a7146873391c71824000c5e1
SHA120be145404007b2033768096ac43ebbc29c526fd
SHA25624235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373
SHA5121cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513
-
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50ead72f8a7146873391c71824000c5e1
SHA120be145404007b2033768096ac43ebbc29c526fd
SHA25624235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373
SHA5121cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513
-
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50f2dfe0f3377a5fbc35ea259522b3b3c
SHA1251591bcba6f2120e07a7e77c5023a586240376a
SHA2566b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc
SHA5127795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f
-
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD50ead72f8a7146873391c71824000c5e1
SHA120be145404007b2033768096ac43ebbc29c526fd
SHA25624235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373
SHA5121cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513
-
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebgFilesize
32B
MD54128509cbca080cd31519ceed504d1c8
SHA1dc874088758a3821282fa5a9ae00fd0e368409e0
SHA256f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc
SHA5128b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458
-
memory/116-201-0x0000000000000000-mapping.dmp
-
memory/812-204-0x0000000000000000-mapping.dmp
-
memory/1064-163-0x0000000000000000-mapping.dmp
-
memory/1084-210-0x0000000000000000-mapping.dmp
-
memory/1084-183-0x0000000000000000-mapping.dmp
-
memory/1228-168-0x0000000000000000-mapping.dmp
-
memory/1300-175-0x0000000000000000-mapping.dmp
-
memory/1300-202-0x0000000000000000-mapping.dmp
-
memory/1312-217-0x0000000000000000-mapping.dmp
-
memory/1408-159-0x0000000000000000-mapping.dmp
-
memory/1456-166-0x0000000000000000-mapping.dmp
-
memory/1484-169-0x0000000000000000-mapping.dmp
-
memory/1600-213-0x0000000000000000-mapping.dmp
-
memory/1604-214-0x0000000000000000-mapping.dmp
-
memory/1604-162-0x0000000000000000-mapping.dmp
-
memory/1608-199-0x0000000000000000-mapping.dmp
-
memory/1812-218-0x0000000000000000-mapping.dmp
-
memory/1848-188-0x0000000000000000-mapping.dmp
-
memory/1892-170-0x0000000000000000-mapping.dmp
-
memory/1948-165-0x0000000000000000-mapping.dmp
-
memory/1960-182-0x0000000000000000-mapping.dmp
-
memory/1996-212-0x0000000000000000-mapping.dmp
-
memory/2248-135-0x0000000000000000-mapping.dmp
-
memory/2360-206-0x0000000000000000-mapping.dmp
-
memory/2368-185-0x0000000000000000-mapping.dmp
-
memory/2420-198-0x0000000000000000-mapping.dmp
-
memory/2424-215-0x0000000000000000-mapping.dmp
-
memory/2640-132-0x0000000000000000-mapping.dmp
-
memory/2668-178-0x0000000000000000-mapping.dmp
-
memory/2756-171-0x0000000000000000-mapping.dmp
-
memory/2764-197-0x0000000000000000-mapping.dmp
-
memory/2876-207-0x0000000000000000-mapping.dmp
-
memory/2964-195-0x0000000000000000-mapping.dmp
-
memory/3008-189-0x0000000000000000-mapping.dmp
-
memory/3012-208-0x0000000000000000-mapping.dmp
-
memory/3012-181-0x0000000000000000-mapping.dmp
-
memory/3032-161-0x0000000000000000-mapping.dmp
-
memory/3340-190-0x0000000000000000-mapping.dmp
-
memory/3364-205-0x0000000000000000-mapping.dmp
-
memory/3588-179-0x0000000000000000-mapping.dmp
-
memory/3648-174-0x0000000000000000-mapping.dmp
-
memory/3672-203-0x0000000000000000-mapping.dmp
-
memory/3712-176-0x0000000000000000-mapping.dmp
-
memory/3744-152-0x0000000000000000-mapping.dmp
-
memory/3768-172-0x0000000000000000-mapping.dmp
-
memory/3904-173-0x0000000000000000-mapping.dmp
-
memory/3988-186-0x0000000000000000-mapping.dmp
-
memory/4036-177-0x0000000000000000-mapping.dmp
-
memory/4080-160-0x0000000000000000-mapping.dmp
-
memory/4124-187-0x0000000000000000-mapping.dmp
-
memory/4244-209-0x0000000000000000-mapping.dmp
-
memory/4260-191-0x0000000000000000-mapping.dmp
-
memory/4260-219-0x0000000000000000-mapping.dmp
-
memory/4276-184-0x0000000000000000-mapping.dmp
-
memory/4328-211-0x0000000000000000-mapping.dmp
-
memory/4464-192-0x0000000000000000-mapping.dmp
-
memory/4556-164-0x0000000000000000-mapping.dmp
-
memory/4580-180-0x0000000000000000-mapping.dmp
-
memory/4600-216-0x0000000000000000-mapping.dmp
-
memory/4712-167-0x0000000000000000-mapping.dmp
-
memory/4944-196-0x0000000000000000-mapping.dmp
-
memory/5012-193-0x0000000000000000-mapping.dmp
-
memory/5092-194-0x0000000000000000-mapping.dmp
-
memory/5108-200-0x0000000000000000-mapping.dmp