Analysis

  • max time kernel
    90s
  • max time network
    79s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 17:57

General

  • Target

    17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe

  • Size

    512KB

  • MD5

    82fd0018bb2441cfc589124168472840

  • SHA1

    c389e4cd7981f7236f19f357f5ba61901d52dc37

  • SHA256

    17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

  • SHA512

    bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

  • SSDEEP

    6144:0c47HpZ9ELuQN28GWqDfKCmxS1h8sF5/x:jKpcLuQpgDf+xKh8Kp

Malware Config

Signatures

  • UAC bypass 3 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Possible privilege escalation attempt 64 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe
    "C:\Users\Admin\AppData\Local\Temp\17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4972
    • C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
      "C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
        "C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks computer location settings
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3744
        • C:\Windows\SysWOW64\takeown.exe
          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"
          4⤵
          • Possible privilege escalation attempt
          PID:1604
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" /grant Admin:D
          4⤵
          • Modifies file permissions
          PID:1064
        • C:\Windows\SysWOW64\takeown.exe
          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
          4⤵
            PID:1456
          • C:\Windows\SysWOW64\icacls.exe
            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" /grant Admin:D
            4⤵
              PID:4712
            • C:\Windows\SysWOW64\takeown.exe
              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"
              4⤵
                PID:1892
              • C:\Windows\SysWOW64\icacls.exe
                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" /grant Admin:D
                4⤵
                  PID:2756
                • C:\Windows\SysWOW64\takeown.exe
                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe"
                  4⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:3648
                • C:\Windows\SysWOW64\icacls.exe
                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe" /grant Admin:D
                  4⤵
                    PID:1300
                  • C:\Windows\SysWOW64\takeown.exe
                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
                    4⤵
                    • Possible privilege escalation attempt
                    PID:2668
                  • C:\Windows\SysWOW64\icacls.exe
                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /grant Admin:D
                    4⤵
                      PID:3588
                    • C:\Windows\SysWOW64\takeown.exe
                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
                      4⤵
                      • Possible privilege escalation attempt
                      PID:1960
                    • C:\Windows\SysWOW64\icacls.exe
                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe" /grant Admin:D
                      4⤵
                      • Possible privilege escalation attempt
                      PID:1084
                    • C:\Windows\SysWOW64\takeown.exe
                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"
                      4⤵
                        PID:3988
                      • C:\Windows\SysWOW64\icacls.exe
                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe" /grant Admin:D
                        4⤵
                        • Modifies file permissions
                        PID:4124
                      • C:\Windows\SysWOW64\takeown.exe
                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
                        4⤵
                          PID:3340
                        • C:\Windows\SysWOW64\icacls.exe
                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe" /grant Admin:D
                          4⤵
                          • Possible privilege escalation attempt
                          PID:4260
                        • C:\Windows\SysWOW64\takeown.exe
                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"
                          4⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          PID:5092
                        • C:\Windows\SysWOW64\icacls.exe
                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /grant Admin:D
                          4⤵
                            PID:2964
                          • C:\Windows\SysWOW64\takeown.exe
                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe"
                            4⤵
                              PID:2420
                            • C:\Windows\SysWOW64\icacls.exe
                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe" /grant Admin:D
                              4⤵
                                PID:1608
                              • C:\Windows\SysWOW64\takeown.exe
                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe"
                                4⤵
                                • Modifies file permissions
                                PID:1300
                              • C:\Windows\SysWOW64\icacls.exe
                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" /grant Admin:D
                                4⤵
                                  PID:3672
                                • C:\Windows\SysWOW64\takeown.exe
                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe"
                                  4⤵
                                  • Modifies file permissions
                                  PID:2360
                                • C:\Windows\SysWOW64\icacls.exe
                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe" /grant Admin:D
                                  4⤵
                                    PID:2876
                                  • C:\Windows\SysWOW64\takeown.exe
                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"
                                    4⤵
                                    • Possible privilege escalation attempt
                                    PID:1084
                                  • C:\Windows\SysWOW64\icacls.exe
                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /grant Admin:D
                                    4⤵
                                      PID:4328
                                    • C:\Windows\SysWOW64\takeown.exe
                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe"
                                      4⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:1604
                                    • C:\Windows\SysWOW64\icacls.exe
                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe" /grant Admin:D
                                      4⤵
                                      • Possible privilege escalation attempt
                                      PID:2424
                                    • C:\Windows\SysWOW64\takeown.exe
                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"
                                      4⤵
                                        PID:1812
                                      • C:\Windows\SysWOW64\icacls.exe
                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe" /grant Admin:D
                                        4⤵
                                        • Modifies file permissions
                                        PID:4260
                                      • C:\Windows\SysWOW64\takeown.exe
                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe"
                                        4⤵
                                        • Modifies file permissions
                                        PID:4436
                                      • C:\Windows\SysWOW64\icacls.exe
                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe" /grant Admin:D
                                        4⤵
                                        • Modifies file permissions
                                        PID:2824
                                      • C:\Windows\SysWOW64\takeown.exe
                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"
                                        4⤵
                                        • Modifies file permissions
                                        PID:2740
                                      • C:\Windows\SysWOW64\icacls.exe
                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe" /grant Admin:D
                                        4⤵
                                        • Modifies file permissions
                                        PID:2200
                                      • C:\Windows\SysWOW64\takeown.exe
                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe"
                                        4⤵
                                          PID:4040
                                        • C:\Windows\SysWOW64\icacls.exe
                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe" /grant Admin:D
                                          4⤵
                                          • Possible privilege escalation attempt
                                          PID:4596
                                        • C:\Windows\SysWOW64\takeown.exe
                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
                                          4⤵
                                            PID:3556
                                          • C:\Windows\SysWOW64\icacls.exe
                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /grant Admin:D
                                            4⤵
                                            • Modifies file permissions
                                            PID:3968
                                          • C:\Windows\SysWOW64\takeown.exe
                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"
                                            4⤵
                                              PID:1068
                                            • C:\Windows\SysWOW64\icacls.exe
                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /grant Admin:D
                                              4⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              PID:60
                                            • C:\Windows\SysWOW64\takeown.exe
                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe"
                                              4⤵
                                                PID:1852
                                              • C:\Windows\SysWOW64\icacls.exe
                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe" /grant Admin:D
                                                4⤵
                                                  PID:2252
                                                • C:\Windows\SysWOW64\takeown.exe
                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe"
                                                  4⤵
                                                    PID:3340
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe" /grant Admin:D
                                                    4⤵
                                                    • Possible privilege escalation attempt
                                                    PID:4392
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe"
                                                    4⤵
                                                      PID:3396
                                                    • C:\Windows\SysWOW64\icacls.exe
                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe" /grant Admin:D
                                                      4⤵
                                                      • Modifies file permissions
                                                      PID:780
                                                    • C:\Windows\SysWOW64\takeown.exe
                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe"
                                                      4⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3108
                                                    • C:\Windows\SysWOW64\icacls.exe
                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe" /grant Admin:D
                                                      4⤵
                                                        PID:2520
                                                      • C:\Windows\SysWOW64\takeown.exe
                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe"
                                                        4⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2848
                                                      • C:\Windows\SysWOW64\icacls.exe
                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe" /grant Admin:D
                                                        4⤵
                                                        • Possible privilege escalation attempt
                                                        PID:2388
                                                      • C:\Windows\SysWOW64\takeown.exe
                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
                                                        4⤵
                                                        • Possible privilege escalation attempt
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4296
                                                      • C:\Windows\SysWOW64\icacls.exe
                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Admin:D
                                                        4⤵
                                                          PID:812
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
                                                          4⤵
                                                            PID:1564
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
                                                            4⤵
                                                            • Modifies file permissions
                                                            PID:516
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
                                                            4⤵
                                                            • Possible privilege escalation attempt
                                                            PID:4120
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
                                                            4⤵
                                                              PID:1064
                                                            • C:\Windows\SysWOW64\takeown.exe
                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
                                                              4⤵
                                                                PID:4704
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
                                                                4⤵
                                                                  PID:4264
                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
                                                                  4⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  PID:4948
                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
                                                                  4⤵
                                                                  • Modifies file permissions
                                                                  PID:4112
                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
                                                                  4⤵
                                                                  • Modifies file permissions
                                                                  PID:3896
                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
                                                                  4⤵
                                                                    PID:1568
                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
                                                                    4⤵
                                                                      PID:4976
                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
                                                                      4⤵
                                                                        PID:2756
                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
                                                                        4⤵
                                                                          PID:4240
                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
                                                                          4⤵
                                                                            PID:4344
                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
                                                                            4⤵
                                                                              PID:5064
                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
                                                                              4⤵
                                                                                PID:3916
                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
                                                                                4⤵
                                                                                • Possible privilege escalation attempt
                                                                                PID:4352
                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
                                                                                4⤵
                                                                                  PID:1960
                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
                                                                                  4⤵
                                                                                  • Modifies file permissions
                                                                                  PID:1860
                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
                                                                                  4⤵
                                                                                    PID:2948
                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
                                                                                    4⤵
                                                                                    • Possible privilege escalation attempt
                                                                                    PID:3612
                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
                                                                                    4⤵
                                                                                    • Modifies file permissions
                                                                                    PID:4704
                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe"
                                                                                    4⤵
                                                                                      PID:1856
                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe" /grant Admin:D
                                                                                      4⤵
                                                                                        PID:4948
                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
                                                                                        4⤵
                                                                                        • Possible privilege escalation attempt
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:856
                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
                                                                                        4⤵
                                                                                        • Possible privilege escalation attempt
                                                                                        • Modifies file permissions
                                                                                        PID:1432
                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
                                                                                        4⤵
                                                                                        • Modifies file permissions
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:4416
                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
                                                                                        4⤵
                                                                                          PID:4976
                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
                                                                                          4⤵
                                                                                          • Possible privilege escalation attempt
                                                                                          • Modifies file permissions
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1612
                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
                                                                                          4⤵
                                                                                            PID:1968
                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
                                                                                            4⤵
                                                                                            • Possible privilege escalation attempt
                                                                                            • Modifies file permissions
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1420
                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
                                                                                            4⤵
                                                                                              PID:4296
                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe"
                                                                                              4⤵
                                                                                              • Modifies file permissions
                                                                                              PID:2276
                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" /grant Admin:D
                                                                                              4⤵
                                                                                                PID:4808
                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe"
                                                                                                4⤵
                                                                                                • Modifies file permissions
                                                                                                PID:2372
                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe" /grant Admin:D
                                                                                                4⤵
                                                                                                  PID:1064
                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                                                                                  4⤵
                                                                                                    PID:4076
                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe" /grant Admin:D
                                                                                                    4⤵
                                                                                                    • Possible privilege escalation attempt
                                                                                                    PID:2260
                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"
                                                                                                    4⤵
                                                                                                      PID:4464
                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" /grant Admin:D
                                                                                                      4⤵
                                                                                                      • Possible privilege escalation attempt
                                                                                                      • Modifies file permissions
                                                                                                      PID:2528
                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"
                                                                                                      4⤵
                                                                                                        PID:4064
                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" /grant Admin:D
                                                                                                        4⤵
                                                                                                        • Possible privilege escalation attempt
                                                                                                        PID:780
                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe"
                                                                                                        4⤵
                                                                                                          PID:4736
                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe" /grant Admin:D
                                                                                                          4⤵
                                                                                                          • Possible privilege escalation attempt
                                                                                                          • Modifies file permissions
                                                                                                          PID:3836
                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe"
                                                                                                          4⤵
                                                                                                          • Possible privilege escalation attempt
                                                                                                          PID:3740
                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe" /grant Admin:D
                                                                                                          4⤵
                                                                                                            PID:4424
                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe"
                                                                                                            4⤵
                                                                                                              PID:3116
                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe" /grant Admin:D
                                                                                                              4⤵
                                                                                                                PID:4760
                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe"
                                                                                                                4⤵
                                                                                                                  PID:1452
                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe" /grant Admin:D
                                                                                                                  4⤵
                                                                                                                  • Modifies file permissions
                                                                                                                  PID:4744
                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe"
                                                                                                                  4⤵
                                                                                                                  • Possible privilege escalation attempt
                                                                                                                  • Modifies file permissions
                                                                                                                  PID:4276
                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe" /grant Admin:D
                                                                                                                  4⤵
                                                                                                                    PID:3332
                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe"
                                                                                                                    4⤵
                                                                                                                      PID:4536
                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe" /grant Admin:D
                                                                                                                      4⤵
                                                                                                                      • Possible privilege escalation attempt
                                                                                                                      PID:656
                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe"
                                                                                                                      4⤵
                                                                                                                        PID:3640
                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe" /grant Admin:D
                                                                                                                        4⤵
                                                                                                                          PID:1456
                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe"
                                                                                                                          4⤵
                                                                                                                            PID:3396
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe" /grant Admin:D
                                                                                                                            4⤵
                                                                                                                            • Possible privilege escalation attempt
                                                                                                                            • Modifies file permissions
                                                                                                                            PID:4112
                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe"
                                                                                                                            4⤵
                                                                                                                            • Possible privilege escalation attempt
                                                                                                                            PID:4020
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe" /grant Admin:D
                                                                                                                            4⤵
                                                                                                                              PID:3460
                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe"
                                                                                                                              4⤵
                                                                                                                                PID:3416
                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe" /grant Admin:D
                                                                                                                                4⤵
                                                                                                                                  PID:2616
                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"
                                                                                                                                3⤵
                                                                                                                                  PID:4080
                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe" /grant Admin:D
                                                                                                                                  3⤵
                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                  PID:3032
                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
                                                                                                                                  3⤵
                                                                                                                                    PID:4556
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" /grant Admin:D
                                                                                                                                    3⤵
                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                    PID:1948
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" /grant Admin:D
                                                                                                                                    3⤵
                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:1484
                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"
                                                                                                                                    3⤵
                                                                                                                                      PID:1228
                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe"
                                                                                                                                      3⤵
                                                                                                                                      • Modifies file permissions
                                                                                                                                      PID:3768
                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe" /grant Admin:D
                                                                                                                                      3⤵
                                                                                                                                        PID:3904
                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
                                                                                                                                        3⤵
                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                        • Modifies file permissions
                                                                                                                                        PID:3712
                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /grant Admin:D
                                                                                                                                        3⤵
                                                                                                                                          PID:4036
                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
                                                                                                                                          3⤵
                                                                                                                                            PID:4580
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe" /grant Admin:D
                                                                                                                                            3⤵
                                                                                                                                              PID:3012
                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                              PID:4276
                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe" /grant Admin:D
                                                                                                                                              3⤵
                                                                                                                                                PID:2368
                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
                                                                                                                                                3⤵
                                                                                                                                                  PID:1848
                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe" /grant Admin:D
                                                                                                                                                  3⤵
                                                                                                                                                    PID:3008
                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"
                                                                                                                                                    3⤵
                                                                                                                                                    • Modifies file permissions
                                                                                                                                                    PID:4464
                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /grant Admin:D
                                                                                                                                                    3⤵
                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                    PID:5012
                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:4944
                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\arh.exe" /grant Admin:D
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2764
                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe"
                                                                                                                                                        3⤵
                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                        PID:5108
                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" /grant Admin:D
                                                                                                                                                        3⤵
                                                                                                                                                          PID:116
                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe"
                                                                                                                                                          3⤵
                                                                                                                                                          • Modifies file permissions
                                                                                                                                                          PID:812
                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\Eula.exe" /grant Admin:D
                                                                                                                                                          3⤵
                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                          • Modifies file permissions
                                                                                                                                                          PID:3364
                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:3012
                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /grant Admin:D
                                                                                                                                                            3⤵
                                                                                                                                                            • Modifies file permissions
                                                                                                                                                            PID:4244
                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe"
                                                                                                                                                            3⤵
                                                                                                                                                              PID:1996
                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe" /grant Admin:D
                                                                                                                                                              3⤵
                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                              PID:1600
                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"
                                                                                                                                                              3⤵
                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                              PID:4600
                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe" /grant Admin:D
                                                                                                                                                              3⤵
                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                              • Modifies file permissions
                                                                                                                                                              PID:1312
                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe"
                                                                                                                                                              3⤵
                                                                                                                                                                PID:5012
                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe" /grant Admin:D
                                                                                                                                                                3⤵
                                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                                PID:780
                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:4944
                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\reader_sl.exe" /grant Admin:D
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:4116
                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                    PID:176
                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Adobe\Acrobat Reader DC\Reader\wow_helper.exe" /grant Admin:D
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                    PID:2388
                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:4036
                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /grant Admin:D
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Possible privilege escalation attempt
                                                                                                                                                                      PID:1964
                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Possible privilege escalation attempt
                                                                                                                                                                      PID:3760
                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /grant Admin:D
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:4352
                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:1816
                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jaureg.exe" /grant Admin:D
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                          PID:1860
                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe"
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:4364
                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jucheck.exe" /grant Admin:D
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                                                            PID:1704
                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe"
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:4144
                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Java\Java Update\jusched.exe" /grant Admin:D
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:4712
                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe"
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:1340
                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\pipanel.exe" /grant Admin:D
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                PID:2508
                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe"
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:4356
                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\ink\TabTip32.exe" /grant Admin:D
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:2200
                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:3116
                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Admin:D
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:4252
                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:2360
                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Admin:D
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:4580
                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:4728
                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /grant Admin:D
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:2800
                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                            PID:1604
                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleCrashHandler64.exe" /grant Admin:D
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:656
                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:1312
                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdate.exe" /grant Admin:D
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                PID:4464
                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:544
                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /grant Admin:D
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:2684
                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:4376
                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe" /grant Admin:D
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                  PID:3460
                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:1608
                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /grant Admin:D
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:220
                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:4596
                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe" /grant Admin:D
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:4608
                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:628
                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\1.3.36.71\GoogleUpdateSetup.exe" /grant Admin:D
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:548
                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1084
                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\DisabledGoogleUpdate.exe" /grant Admin:D
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:2372
                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:5004
                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe" /grant Admin:D
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                              PID:4124
                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                              PID:1060
                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\chrome_installer.exe" /grant Admin:D
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:4392
                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:1388
                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ExtExport.exe" /grant Admin:D
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:1484
                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:5044
                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ieinstal.exe" /grant Admin:D
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:2300
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:3940
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\ielowutil.exe" /grant Admin:D
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:4224
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Internet Explorer\iexplore.exe"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:4920
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" /grant Admin:D
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:3672
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:3720
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" /grant Admin:D
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:2536
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe"
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:5080
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe" /grant Admin:D
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:1068
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                                                          PID:2028
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe" /grant Admin:D
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                                                          PID:3944
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                                                          PID:5088
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" /grant Admin:D
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                                                          PID:1336
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:5012
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" /grant Admin:D
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:4180
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe"
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                              PID:4932
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge.exe" /grant Admin:D
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                              PID:1568
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe"
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:2740
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe" /grant Admin:D
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:3656
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe"
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:2108
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe" /grant Admin:D
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:1968
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe"
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                      PID:5064
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe" /grant Admin:D
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:3540
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe"
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                        PID:2276
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe" /grant Admin:D
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:1960
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe"
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                                                                          PID:2372
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe" /grant Admin:D
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                          PID:4448
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:4076
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge.exe" /grant Admin:D
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:1384
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe"
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:3340
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\msedge_proxy.exe" /grant Admin:D
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:1880
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe"
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:4592
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\Edge\Application\pwahelper.exe" /grant Admin:D
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:2104
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe"
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:4968
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeComRegisterShellARM64.exe" /grant Admin:D
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                                                        PID:2508
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe" -
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                      PID:2248
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c pause
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:1408

                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                    MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                                                    Privilege Escalation

                                                                                                                                                                                                                                                    Bypass User Account Control

                                                                                                                                                                                                                                                    1
                                                                                                                                                                                                                                                    T1088

                                                                                                                                                                                                                                                    Defense Evasion

                                                                                                                                                                                                                                                    Bypass User Account Control

                                                                                                                                                                                                                                                    1
                                                                                                                                                                                                                                                    T1088

                                                                                                                                                                                                                                                    Disabling Security Tools

                                                                                                                                                                                                                                                    1
                                                                                                                                                                                                                                                    T1089

                                                                                                                                                                                                                                                    Modify Registry

                                                                                                                                                                                                                                                    2
                                                                                                                                                                                                                                                    T1112

                                                                                                                                                                                                                                                    File Permissions Modification

                                                                                                                                                                                                                                                    1
                                                                                                                                                                                                                                                    T1222

                                                                                                                                                                                                                                                    Discovery

                                                                                                                                                                                                                                                    Query Registry

                                                                                                                                                                                                                                                    1
                                                                                                                                                                                                                                                    T1012

                                                                                                                                                                                                                                                    System Information Discovery

                                                                                                                                                                                                                                                    3
                                                                                                                                                                                                                                                    T1082

                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                    • C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0ead72f8a7146873391c71824000c5e1

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      20be145404007b2033768096ac43ebbc29c526fd

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

                                                                                                                                                                                                                                                    • C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0f2dfe0f3377a5fbc35ea259522b3b3c

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      251591bcba6f2120e07a7e77c5023a586240376a

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      6b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      7795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f

                                                                                                                                                                                                                                                    • C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Program Files (x86)\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      512KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      512KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      512KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ahnbpqiqvi.exe
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      512KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      82fd0018bb2441cfc589124168472840

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      c389e4cd7981f7236f19f357f5ba61901d52dc37

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      17bffdc7caa0f9f12900cbcdb322880c952cd1b39039db00b04e32af77169fd9

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      bbe2e63c6e60ef81492458589b0f828fae7790d0ef3b8d9719ea7cf392f0e0da7034ac3c0662273513954d2979181cb31d2cba74a42736505aafaa26d3ab12ff

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0ead72f8a7146873391c71824000c5e1

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      20be145404007b2033768096ac43ebbc29c526fd

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0f2dfe0f3377a5fbc35ea259522b3b3c

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      251591bcba6f2120e07a7e77c5023a586240376a

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      6b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      7795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0ead72f8a7146873391c71824000c5e1

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      20be145404007b2033768096ac43ebbc29c526fd

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0ead72f8a7146873391c71824000c5e1

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      20be145404007b2033768096ac43ebbc29c526fd

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0f2dfe0f3377a5fbc35ea259522b3b3c

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      251591bcba6f2120e07a7e77c5023a586240376a

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      6b9010cb7b02e450a97484800e14ea03d0a1de411aade46e43e8dd6708f803fc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      7795b5bad85505875cff7b9bc0f691e6e1679716dd850bb9947bb0e6b0af81881e9caaf0895b4b8e34c2fdc0d5fb736817bdc2a1f0782671b3fe8ea7f5a2083f

                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      0ead72f8a7146873391c71824000c5e1

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      20be145404007b2033768096ac43ebbc29c526fd

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      24235497339896f27985465ada8c25c37e989bd12faac5dec00c1b09cf2a0373

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      1cefc50907547470e8572a28e24fa48c6eeac10c03e57fe334d9674673d2667a6c0a0299545d74f25e1b9a66641f5391cfd7c255550e45933df03b7b30017513

                                                                                                                                                                                                                                                    • C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • C:\Windows\ihflrkuurwwunxnhvhsrpvbu.ebg
                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      32B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4128509cbca080cd31519ceed504d1c8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      dc874088758a3821282fa5a9ae00fd0e368409e0

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      f04355788e59f454ab02bf1dd57fd5d08ef9bff09c6326aaf1ba65223579f4bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      8b7c98a67b31c35f1edb6591dccf73f0d3dd2283412ccefad3d1a446b426c1b9254e3953f47f39038021a71eadfda0f08e5d6d69c8785266dff33a337b57e458

                                                                                                                                                                                                                                                    • memory/116-201-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/812-204-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1064-163-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1084-210-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1084-183-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1228-168-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1300-175-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1300-202-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1312-217-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1408-159-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1456-166-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1484-169-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1600-213-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1604-214-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1604-162-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1608-199-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1812-218-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1848-188-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1892-170-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1948-165-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1960-182-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/1996-212-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2248-135-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2360-206-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2368-185-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2420-198-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2424-215-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2640-132-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2668-178-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2756-171-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2764-197-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2876-207-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/2964-195-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3008-189-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3012-208-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3012-181-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3032-161-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3340-190-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3364-205-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3588-179-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3648-174-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3672-203-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3712-176-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3744-152-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3768-172-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3904-173-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/3988-186-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4036-177-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4080-160-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4124-187-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4244-209-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4260-191-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4260-219-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4276-184-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4328-211-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4464-192-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4556-164-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4580-180-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4600-216-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4712-167-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/4944-196-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/5012-193-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/5092-194-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                    • memory/5108-200-0x0000000000000000-mapping.dmp