d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86

Analysis

max time kernel
2s
max time network
264s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

H2 (2).exe
Size

22KB
MD5

b014736055c3a7cf6af257dd7f84af7d
SHA1

d2ac0fb6482c2551a72fac685312c007e3e294d7
SHA256

d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86
SHA512

c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27
SSDEEP

384:Pl5PmikkxZNVUwSymwfixj1VUVIx2b4KJBy/V+wTMUufgqflVW9s:PlxkkDmp9UbdvQMSAlU9

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

H2.exeH2.exeH2.exeH2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe

Disables RegEdit via registry modification 4 IoCs

evasion

Processes:

H2.exeH2.exeH2.exeH2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe

Possible privilege escalation attempt 56 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
3492	takeown.exe
3448	takeown.exe
5552	icacls.exe
3308	icacls.exe
1832	icacls.exe
3500	takeown.exe
3464	icacls.exe
1756	takeown.exe
1028	takeown.exe
10060	icacls.exe
10356	takeown.exe
3324	takeown.exe
5188	takeown.exe
7952	icacls.exe
7280	icacls.exe
2384	icacls.exe
2576	takeown.exe
2044	takeown.exe
1300	takeown.exe
896	takeown.exe
6900	icacls.exe
7796	icacls.exe
3088	takeown.exe
2292	takeown.exe
920	takeown.exe
2140	icacls.exe
3556	icacls.exe
3676	icacls.exe
2344	icacls.exe
2300	takeown.exe
4764	icacls.exe
4224	icacls.exe
3532	icacls.exe
1120	takeown.exe
5864	takeown.exe
7492	takeown.exe
2320	takeown.exe
1940	takeown.exe
3616	takeown.exe
3608	takeown.exe
2436	takeown.exe
4760	icacls.exe
3656	takeown.exe
5720	icacls.exe
2152	icacls.exe
2560	takeown.exe
1520	icacls.exe
3508	takeown.exe
6068	icacls.exe
788	icacls.exe
2316	takeown.exe
2384	takeown.exe
3260	takeown.exe
2668	icacls.exe
3008	icacls.exe
2500	takeown.exe

Executes dropped EXE 19 IoCs

Processes:

H2.exeN64F43K1J70W0XF2M53.exeH2.exeV38X85K7V81L8YS3A17.exeH2.exeP75J88Z0E64G2LN7D81.exeH2.exeL27B52A2L11N4YX2L57.exeG62B37Y2F62X5DP6O73.exeH2.exeO35S70Y0R72N5EC7D37.exeV02X31P8S06N5NS7R48.exeT42I71V5M21S7HU1D55.exeB15A23V2Z32H7IH1S00.exeV52M26K4H05C0VC5V83.exeH2.exeU01R45U3P16E3XX8M31.exeH2.exeH2.exe

pid	process
2716	H2.exe
2620	N64F43K1J70W0XF2M53.exe
2212	H2.exe
2332	V38X85K7V81L8YS3A17.exe
2740	H2.exe
2900	P75J88Z0E64G2LN7D81.exe
2004	H2.exe
904	L27B52A2L11N4YX2L57.exe
2880	G62B37Y2F62X5DP6O73.exe
1584	H2.exe
1104	O35S70Y0R72N5EC7D37.exe
2816	V02X31P8S06N5NS7R48.exe
2328	T42I71V5M21S7HU1D55.exe
1572	B15A23V2Z32H7IH1S00.exe
708	V52M26K4H05C0VC5V83.exe
1932	H2.exe
936	U01R45U3P16E3XX8M31.exe
2288	H2.exe
1616	H2.exe

Loads dropped DLL 11 IoCs

Processes:

H2.exeH2.exe

pid process

2716 H2.exe
2716 H2.exe
2716 H2.exe
2716 H2.exe
2716 H2.exe
2716 H2.exe
2740 H2.exe
2716 H2.exe
2716 H2.exe
2740 H2.exe
2716 H2.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
2560	takeown.exe
2576	takeown.exe
1940	takeown.exe
5188	takeown.exe
2300	takeown.exe
6900	icacls.exe
2668	icacls.exe
6068	icacls.exe
920	takeown.exe
2140	icacls.exe
3676	icacls.exe
7796	icacls.exe
10356	takeown.exe
2292	takeown.exe
3532	icacls.exe
3260	takeown.exe
3088	takeown.exe
7952	icacls.exe
2316	takeown.exe
3008	icacls.exe
5864	takeown.exe
2500	takeown.exe
788	icacls.exe
2384	takeown.exe
3492	takeown.exe
4760	icacls.exe
1520	icacls.exe
3656	takeown.exe
3308	icacls.exe
896	takeown.exe
4764	icacls.exe
2044	takeown.exe
1756	takeown.exe
2436	takeown.exe
5552	icacls.exe
2152	icacls.exe
4224	icacls.exe
3448	takeown.exe
7492	takeown.exe
3508	takeown.exe
3616	takeown.exe
3556	icacls.exe
3608	takeown.exe
1028	takeown.exe
2344	icacls.exe
3500	takeown.exe
10060	icacls.exe
7280	icacls.exe
2320	takeown.exe
1832	icacls.exe
2384	icacls.exe
3464	icacls.exe
1300	takeown.exe
1120	takeown.exe
3324	takeown.exe
5720	icacls.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

H2.exeH2.exeH2.exeH2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe

Drops file in Program Files directory 4 IoCs

Processes:

H2.exeH2.exe

description	ioc	process
File created	C:\Program Files (x86)\O35S70Y0R72N5EC7D37.exe	H2.exe
File created	C:\Program Files\A06C73C8G47F7KU5F60.exe	H2.exe
File created	C:\Program Files (x86)\A06C73C8G47F7KU5F60.exe	H2.exe
File created	C:\Program Files\G62B37Y2F62X5DP6O73.exe	H2.exe

Drops file in Windows directory 1 IoCs

Processes:

H2.exe

description ioc process

File created C:\Windows\A06C73C8G47F7KU5F60.exe H2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\A06C73C8G47F7KU5F60.exe	H2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

H2.exe

pid	process
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe
2716	H2.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

H2.exetakeown.exeH2.exeH2.exetakeown.exeH2.exeH2.exe

description	pid	process
Token: SeDebugPrivilege	2716	H2.exe
Token: SeDebugPrivilege	2716	H2.exe
Token: SeTakeOwnershipPrivilege	2560	takeown.exe
Token: SeDebugPrivilege	2212	H2.exe
Token: SeDebugPrivilege	2212	H2.exe
Token: SeDebugPrivilege	2740	H2.exe
Token: SeTakeOwnershipPrivilege	2316	takeown.exe
Token: SeDebugPrivilege	2740	H2.exe
Token: SeDebugPrivilege	2004	H2.exe
Token: SeDebugPrivilege	2004	H2.exe
Token: SeDebugPrivilege	1584	H2.exe
Token: SeDebugPrivilege	1584	H2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

H2 (2).exeH2.execmd.exeN64F43K1J70W0XF2M53.exeH2.exeV38X85K7V81L8YS3A17.execmd.exeH2.exeP75J88Z0E64G2LN7D81.execmd.exe

description	pid	process	target process
PID 1740 wrote to memory of 2716	1740	H2 (2).exe	H2.exe
PID 1740 wrote to memory of 2716	1740	H2 (2).exe	H2.exe
PID 1740 wrote to memory of 2716	1740	H2 (2).exe	H2.exe
PID 1740 wrote to memory of 2716	1740	H2 (2).exe	H2.exe
PID 2716 wrote to memory of 3024	2716	H2.exe	cmd.exe
PID 2716 wrote to memory of 3024	2716	H2.exe	cmd.exe
PID 2716 wrote to memory of 3024	2716	H2.exe	cmd.exe
PID 2716 wrote to memory of 3024	2716	H2.exe	cmd.exe
PID 3024 wrote to memory of 2560	3024	cmd.exe	takeown.exe
PID 3024 wrote to memory of 2560	3024	cmd.exe	takeown.exe
PID 3024 wrote to memory of 2560	3024	cmd.exe	takeown.exe
PID 3024 wrote to memory of 2560	3024	cmd.exe	takeown.exe
PID 3024 wrote to memory of 2668	3024	cmd.exe	icacls.exe
PID 3024 wrote to memory of 2668	3024	cmd.exe	icacls.exe
PID 3024 wrote to memory of 2668	3024	cmd.exe	icacls.exe
PID 3024 wrote to memory of 2668	3024	cmd.exe	icacls.exe
PID 2716 wrote to memory of 2620	2716	H2.exe	N64F43K1J70W0XF2M53.exe
PID 2716 wrote to memory of 2620	2716	H2.exe	N64F43K1J70W0XF2M53.exe
PID 2716 wrote to memory of 2620	2716	H2.exe	N64F43K1J70W0XF2M53.exe
PID 2716 wrote to memory of 2620	2716	H2.exe	N64F43K1J70W0XF2M53.exe
PID 2620 wrote to memory of 2212	2620	N64F43K1J70W0XF2M53.exe	H2.exe
PID 2620 wrote to memory of 2212	2620	N64F43K1J70W0XF2M53.exe	H2.exe
PID 2620 wrote to memory of 2212	2620	N64F43K1J70W0XF2M53.exe	H2.exe
PID 2620 wrote to memory of 2212	2620	N64F43K1J70W0XF2M53.exe	H2.exe
PID 2716 wrote to memory of 2332	2716	H2.exe	V38X85K7V81L8YS3A17.exe
PID 2716 wrote to memory of 2332	2716	H2.exe	V38X85K7V81L8YS3A17.exe
PID 2716 wrote to memory of 2332	2716	H2.exe	V38X85K7V81L8YS3A17.exe
PID 2716 wrote to memory of 2332	2716	H2.exe	V38X85K7V81L8YS3A17.exe
PID 2212 wrote to memory of 1676	2212	H2.exe	cmd.exe
PID 2212 wrote to memory of 1676	2212	H2.exe	cmd.exe
PID 2212 wrote to memory of 1676	2212	H2.exe	cmd.exe
PID 2212 wrote to memory of 1676	2212	H2.exe	cmd.exe
PID 2716 wrote to memory of 2900	2716	H2.exe	P75J88Z0E64G2LN7D81.exe
PID 2716 wrote to memory of 2900	2716	H2.exe	P75J88Z0E64G2LN7D81.exe
PID 2716 wrote to memory of 2900	2716	H2.exe	P75J88Z0E64G2LN7D81.exe
PID 2716 wrote to memory of 2900	2716	H2.exe	P75J88Z0E64G2LN7D81.exe
PID 2332 wrote to memory of 2740	2332	V38X85K7V81L8YS3A17.exe	H2.exe
PID 2332 wrote to memory of 2740	2332	V38X85K7V81L8YS3A17.exe	H2.exe
PID 2332 wrote to memory of 2740	2332	V38X85K7V81L8YS3A17.exe	H2.exe
PID 2332 wrote to memory of 2740	2332	V38X85K7V81L8YS3A17.exe	H2.exe
PID 1676 wrote to memory of 2316	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 2316	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 2316	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 2316	1676	cmd.exe	takeown.exe
PID 2740 wrote to memory of 832	2740	H2.exe	cmd.exe
PID 2740 wrote to memory of 832	2740	H2.exe	cmd.exe
PID 2740 wrote to memory of 832	2740	H2.exe	cmd.exe
PID 2740 wrote to memory of 832	2740	H2.exe	cmd.exe
PID 2900 wrote to memory of 2004	2900	P75J88Z0E64G2LN7D81.exe	H2.exe
PID 2900 wrote to memory of 2004	2900	P75J88Z0E64G2LN7D81.exe	H2.exe
PID 2900 wrote to memory of 2004	2900	P75J88Z0E64G2LN7D81.exe	H2.exe
PID 2900 wrote to memory of 2004	2900	P75J88Z0E64G2LN7D81.exe	H2.exe
PID 2716 wrote to memory of 904	2716	H2.exe	L27B52A2L11N4YX2L57.exe
PID 2716 wrote to memory of 904	2716	H2.exe	L27B52A2L11N4YX2L57.exe
PID 2716 wrote to memory of 904	2716	H2.exe	L27B52A2L11N4YX2L57.exe
PID 2716 wrote to memory of 904	2716	H2.exe	L27B52A2L11N4YX2L57.exe
PID 832 wrote to memory of 2320	832	cmd.exe	L41L08F3V25W3FM5B35.exe
PID 832 wrote to memory of 2320	832	cmd.exe	L41L08F3V25W3FM5B35.exe
PID 832 wrote to memory of 2320	832	cmd.exe	L41L08F3V25W3FM5B35.exe
PID 832 wrote to memory of 2320	832	cmd.exe	L41L08F3V25W3FM5B35.exe
PID 832 wrote to memory of 1832	832	cmd.exe	icacls.exe
PID 832 wrote to memory of 1832	832	cmd.exe	icacls.exe
PID 832 wrote to memory of 1832	832	cmd.exe	icacls.exe
PID 832 wrote to memory of 1832	832	cmd.exe	icacls.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

H2.exeH2.exeH2.exeH2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe

C:\Users\Admin\AppData\Local\Temp\H2 (2).exe
"C:\Users\Admin\AppData\Local\Temp\H2 (2).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\H2.exe
"C:\H2.exe"
2⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
3⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2668

C:\$Recycle.Bin\N64F43K1J70W0XF2M53.exe
"C:\$Recycle.Bin\N64F43K1J70W0XF2M53.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620

C:\H2.exe
"C:\H2.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:4136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
5⤵
PID:7300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:3488

C:\Documents and Settings\V38X85K7V81L8YS3A17.exe
"C:\Documents and Settings\V38X85K7V81L8YS3A17.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332

C:\H2.exe
"C:\H2.exe"
4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2320

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1832

C:\$Recycle.Bin\V02X31P8S06N5NS7R48.exe
"C:\$Recycle.Bin\V02X31P8S06N5NS7R48.exe"
5⤵
- Executes dropped EXE
PID:2816

C:\H2.exe
"C:\H2.exe"
6⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:1516

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites
7⤵
PID:5728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
7⤵
PID:5860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus%20builder%20legit%20free%20download%20no%20virus
7⤵
PID:5976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate
7⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:6304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
7⤵
PID:6912

C:\Documents and Settings\U01R45U3P16E3XX8M31.exe
"C:\Documents and Settings\U01R45U3P16E3XX8M31.exe"
5⤵
- Executes dropped EXE
PID:936

C:\H2.exe
"C:\H2.exe"
6⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2588

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3500

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3676

C:\$Recycle.Bin\P57G70B0U52O2KN2O46.exe
"C:\$Recycle.Bin\P57G70B0U52O2KN2O46.exe"
7⤵
PID:8792

C:\Documents and Settings\R06B46W0A85M4ZM6N88.exe
"C:\Documents and Settings\R06B46W0A85M4ZM6N88.exe"
7⤵
PID:4464

C:\MSOCache\Q55U01I4Y62A1BR5T36.exe
"C:\MSOCache\Q55U01I4Y62A1BR5T36.exe"
7⤵
PID:10872

C:\PerfLogs\N08B01L3W65T7OL4P02.exe
"C:\PerfLogs\N08B01L3W65T7OL4P02.exe"
7⤵
PID:10812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:12284

C:\MSOCache\D77T56F6J25H4EZ5N82.exe
"C:\MSOCache\D77T56F6J25H4EZ5N82.exe"
5⤵
PID:2664

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2408

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3616

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3464

C:\$Recycle.Bin\P68L53Q0Z68S2AI8W35.exe
"C:\$Recycle.Bin\P68L53Q0Z68S2AI8W35.exe"
7⤵
PID:9624

C:\Documents and Settings\Y80N33P8I21R0WJ4P43.exe
"C:\Documents and Settings\Y80N33P8I21R0WJ4P43.exe"
7⤵
PID:10620

C:\MSOCache\D88U10Z6M34M8QS2O07.exe
"C:\MSOCache\D88U10Z6M34M8QS2O07.exe"
7⤵
PID:11600

C:\PerfLogs\T65S27A6X45A7OJ4T24.exe
"C:\PerfLogs\T65S27A6X45A7OJ4T24.exe"
5⤵
PID:3064

C:\H2.exe
"C:\H2.exe"
6⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3184

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3608

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3308

C:\$Recycle.Bin\U82V74Y5W12Z7SV5A74.exe
"C:\$Recycle.Bin\U82V74Y5W12Z7SV5A74.exe"
7⤵
PID:6876

C:\Documents and Settings\L47U17V0N63U8GD6B61.exe
"C:\Documents and Settings\L47U17V0N63U8GD6B61.exe"
7⤵
PID:8180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe
7⤵
PID:7304

C:\MSOCache\I33L08N0D87Z4NI8F68.exe
"C:\MSOCache\I33L08N0D87Z4NI8F68.exe"
7⤵
PID:4928

C:\PerfLogs\C83Z58U1F82S5DO5N88.exe
"C:\PerfLogs\C83Z58U1F82S5DO5N88.exe"
7⤵
PID:8432

C:\Program Files\L43L23L6Z21E1EA7K33.exe
"C:\Program Files\L43L23L6Z21E1EA7K33.exe"
7⤵
PID:8900

C:\Program Files (x86)\W85B67L3R51C1VR1C27.exe
"C:\Program Files (x86)\W85B67L3R51C1VR1C27.exe"
7⤵
PID:9312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:9304

C:\ProgramData\O04O08L6F56Q4ZB5I02.exe
"C:\ProgramData\O04O08L6F56Q4ZB5I02.exe"
7⤵
PID:9924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected
7⤵
PID:1816

C:\Program Files\L52Q61U4A33A3WG3J24.exe
"C:\Program Files\L52Q61U4A33A3WG3J24.exe"
5⤵
PID:2172

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3424

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3260

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6068

C:\$Recycle.Bin\C33E32Z1P80X2GG5J48.exe
"C:\$Recycle.Bin\C33E32Z1P80X2GG5J48.exe"
7⤵
PID:8040

C:\Documents and Settings\Q43B75V5T16E5JV8X82.exe
"C:\Documents and Settings\Q43B75V5T16E5JV8X82.exe"
7⤵
PID:6872

C:\Program Files (x86)\M24I72Y3O43W7TX4H87.exe
"C:\Program Files (x86)\M24I72Y3O43W7TX4H87.exe"
5⤵
PID:1816

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:4080

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1028

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4764

C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe
"C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe"
7⤵
PID:8556

C:\ProgramData\X57M34L8Y24I4YU7W53.exe
"C:\ProgramData\X57M34L8Y24I4YU7W53.exe"
5⤵
PID:2464

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:4088

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1756

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5552

C:\$Recycle.Bin\U80Y44N7P55R5EP4Z04.exe
"C:\$Recycle.Bin\U80Y44N7P55R5EP4Z04.exe"
7⤵
PID:5660

C:\Recovery\X60R07B8D31M4OO5E42.exe
"C:\Recovery\X60R07B8D31M4OO5E42.exe"
5⤵
PID:3168

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:4056

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:896

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2152

C:\$Recycle.Bin\S86J27D0E12S5CS7R63.exe
"C:\$Recycle.Bin\S86J27D0E12S5CS7R63.exe"
7⤵
PID:9956

C:\Users\U24V38N7S75G7IO5Y05.exe
"C:\Users\U24V38N7S75G7IO5Y05.exe"
5⤵
PID:3540

C:\H2.exe
"C:\H2.exe"
6⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3548

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1120

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7952

C:\$Recycle.Bin\P25J32I8L64M3JE6S77.exe
"C:\$Recycle.Bin\P25J32I8L64M3JE6S77.exe"
7⤵
PID:4432

C:\Windows\W82P05Y7D10F6JL2L08.exe
"C:\Windows\W82P05Y7D10F6JL2L08.exe"
5⤵
PID:2016

C:\H2.exe
"C:\H2.exe"
6⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2068

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7492

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus%20builder%20legit%20free%20download%20no%20virus
5⤵
PID:3504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3504 CREDAT:275457 /prefetch:2
6⤵
PID:8240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus
5⤵
PID:4696

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4696 CREDAT:275457 /prefetch:2
6⤵
PID:9348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:4896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus
5⤵
PID:8016

C:\MSOCache\P75J88Z0E64G2LN7D81.exe
"C:\MSOCache\P75J88Z0E64G2LN7D81.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900

C:\H2.exe
"C:\H2.exe"
4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:1068

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2292

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2384

C:\$Recycle.Bin\T03Y67Q0C20H3PE8H00.exe
"C:\$Recycle.Bin\T03Y67Q0C20H3PE8H00.exe"
5⤵
PID:1248

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2496

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus
7⤵
PID:6096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method
7⤵
PID:5552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=mcafee%20vs%20norton%202024%20free
7⤵
PID:4668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method
7⤵
PID:4680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
7⤵
PID:5592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:4504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
7⤵
PID:3488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus
7⤵
PID:2228

C:\Documents and Settings\U40V06O1S43J3SP2E83.exe
"C:\Documents and Settings\U40V06O1S43J3SP2E83.exe"
5⤵
PID:1928

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:4072

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2436

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5720

C:\$Recycle.Bin\D47M74R5V05K4MF2Q47.exe
"C:\$Recycle.Bin\D47M74R5V05K4MF2Q47.exe"
7⤵
PID:9388

C:\Documents and Settings\A65E54B3D76Q2BQ1O57.exe
"C:\Documents and Settings\A65E54B3D76Q2BQ1O57.exe"
7⤵
PID:9608

C:\MSOCache\C77O68U1B46A7NB4R35.exe
"C:\MSOCache\C77O68U1B46A7NB4R35.exe"
7⤵
PID:12044

C:\MSOCache\E63W12N6H48L8JF1B22.exe
"C:\MSOCache\E63W12N6H48L8JF1B22.exe"
5⤵
PID:1648

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:4064

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1300

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6900

C:\$Recycle.Bin\K11M12O3N84Z6KL0V20.exe
"C:\$Recycle.Bin\K11M12O3N84Z6KL0V20.exe"
7⤵
PID:1536

C:\PerfLogs\U26Z02C8X83L7YI2G84.exe
"C:\PerfLogs\U26Z02C8X83L7YI2G84.exe"
5⤵
PID:3912

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:4008

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5188

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Documents and Settings\S51U18J8O71F6EJ6U06.exe
"C:\Documents and Settings\S51U18J8O71F6EJ6U06.exe"
7⤵
PID:6184

C:\Program Files\W20V46O2I84M2KH6Z75.exe
"C:\Program Files\W20V46O2I84M2KH6Z75.exe"
5⤵
PID:3472

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:6996

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2500

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10060

C:\$Recycle.Bin\K18T32L3Q26H0FL3S50.exe
"C:\$Recycle.Bin\K18T32L3Q26H0FL3S50.exe"
7⤵
PID:1164

C:\Program Files (x86)\S57R15E2U62V8DK1J43.exe
"C:\Program Files (x86)\S57R15E2U62V8DK1J43.exe"
5⤵
PID:2804

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8352

C:\ProgramData\W80W25V8G42O1EL5H38.exe
"C:\ProgramData\W80W25V8G42O1EL5H38.exe"
5⤵
PID:792

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:10144

C:\Recovery\C80J10L4U07S8VP7O08.exe
"C:\Recovery\C80J10L4U07S8VP7O08.exe"
5⤵
PID:4348

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9872

C:\Users\B56U23B7Z05Y7LK6B50.exe
"C:\Users\B56U23B7Z05Y7LK6B50.exe"
5⤵
PID:5296

C:\Windows\J07E52M7J18D7TX7K16.exe
"C:\Windows\J07E52M7J18D7TX7K16.exe"
5⤵
PID:3564

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus
5⤵
PID:6628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6628 CREDAT:275457 /prefetch:2
6⤵
PID:11468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
5⤵
PID:7612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%205%20mobile%20apk%20no%20virus%20free%20download
5⤵
PID:9740

C:\PerfLogs\L27B52A2L11N4YX2L57.exe
"C:\PerfLogs\L27B52A2L11N4YX2L57.exe"
3⤵
- Executes dropped EXE
PID:904

C:\H2.exe
"C:\H2.exe"
4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:868

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2576

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:788

C:\$Recycle.Bin\V65W63O5S20L8CQ0L61.exe
"C:\$Recycle.Bin\V65W63O5S20L8CQ0L61.exe"
5⤵
PID:2936

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3796

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
7⤵
PID:5476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus
7⤵
PID:6228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:6940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites
7⤵
PID:8596

C:\Documents and Settings\P05A55A2R20X5OC4P08.exe
"C:\Documents and Settings\P05A55A2R20X5OC4P08.exe"
5⤵
PID:2092

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2924

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3088

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4760

C:\$Recycle.Bin\S51U18J8O71F6EJ6U06.exe
"C:\$Recycle.Bin\S51U18J8O71F6EJ6U06.exe"
7⤵
PID:7900

C:\MSOCache\F45O23Q6U48G3GW2A75.exe
"C:\MSOCache\F45O23Q6U48G3GW2A75.exe"
5⤵
PID:3820

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3032

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2300

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7796

C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe
"C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe"
7⤵
PID:12276

C:\PerfLogs\T35N54V6M47V1MQ5Y73.exe
"C:\PerfLogs\T35N54V6M47V1MQ5Y73.exe"
5⤵
PID:2068

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3360

C:\Program Files\O40O38A2E55H1LN8J53.exe
"C:\Program Files\O40O38A2E55H1LN8J53.exe"
5⤵
PID:4280

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9688

C:\Program Files (x86)\V55A86A5D84M4XJ6R76.exe
"C:\Program Files (x86)\V55A86A5D84M4XJ6R76.exe"
5⤵
PID:4380

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8264

C:\ProgramData\Q41H23B8X56E3HE4S07.exe
"C:\ProgramData\Q41H23B8X56E3HE4S07.exe"
5⤵
PID:5900

C:\Recovery\I00L75I4W22G7MF8F76.exe
"C:\Recovery\I00L75I4W22G7MF8F76.exe"
5⤵
PID:5132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
5⤵
PID:6096

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6096 CREDAT:275457 /prefetch:2
6⤵
PID:1736

C:\Users\S04E82K8Y28D6AM8A67.exe
"C:\Users\S04E82K8Y28D6AM8A67.exe"
5⤵
PID:4208

C:\H2.exe
"C:\H2.exe"
6⤵
PID:10560

C:\Windows\U48I50F1R83N1XX5U80.exe
"C:\Windows\U48I50F1R83N1XX5U80.exe"
5⤵
PID:5640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
5⤵
PID:6264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6264 CREDAT:275457 /prefetch:2
6⤵
PID:11108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate
5⤵
PID:6400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6400 CREDAT:275457 /prefetch:2
6⤵
PID:8972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:6584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6584 CREDAT:275457 /prefetch:2
6⤵
PID:11460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
5⤵
PID:6724

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6724 CREDAT:275457 /prefetch:2
6⤵
PID:11352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help
5⤵
PID:6452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7348

C:\Program Files\G62B37Y2F62X5DP6O73.exe
"C:\Program Files\G62B37Y2F62X5DP6O73.exe"
3⤵
- Executes dropped EXE
PID:2880

C:\H2.exe
"C:\H2.exe"
4⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:820

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1940

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1520

C:\$Recycle.Bin\D23Z41A0M02K6EX3X45.exe
"C:\$Recycle.Bin\D23Z41A0M02K6EX3X45.exe"
5⤵
PID:3896

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3928

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:9476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method
7⤵
PID:10892

C:\Documents and Settings\W80W25V8G42O1EL5H38.exe
"C:\Documents and Settings\W80W25V8G42O1EL5H38.exe"
5⤵
PID:3740

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:9396

C:\MSOCache\J30F57A7L48K2CV7E54.exe
"C:\MSOCache\J30F57A7L48K2CV7E54.exe"
5⤵
PID:3560

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9760

C:\PerfLogs\Z51T25A3J76S3IR4B80.exe
"C:\PerfLogs\Z51T25A3J76S3IR4B80.exe"
5⤵
PID:4212

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9172

C:\Program Files\M56Q78R7G67A4KF8N28.exe
"C:\Program Files\M56Q78R7G67A4KF8N28.exe"
5⤵
PID:4384

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=club%20penguin
5⤵
PID:4400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:275457 /prefetch:2
6⤵
PID:8476

C:\Program Files (x86)\Q48K85D0H46H2UR2Q57.exe
"C:\Program Files (x86)\Q48K85D0H46H2UR2Q57.exe"
5⤵
PID:4536

C:\H2.exe
"C:\H2.exe"
6⤵
PID:7464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected
5⤵
PID:5032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:275457 /prefetch:2
6⤵
PID:8468

C:\ProgramData\N75U70L5Z45H3YP7A53.exe
"C:\ProgramData\N75U70L5Z45H3YP7A53.exe"
5⤵
PID:5164

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:6768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6768 CREDAT:275457 /prefetch:2
6⤵
PID:11476

C:\Recovery\X80V36U1P27H5WL4F46.exe
"C:\Recovery\X80V36U1P27H5WL4F46.exe"
5⤵
PID:6836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:6928

C:\Users\B34O16B8W76J3ZT8Z24.exe
"C:\Users\B34O16B8W76J3ZT8Z24.exe"
5⤵
PID:7660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe
5⤵
PID:7856

C:\Windows\G08O75J8A20W7TE7S86.exe
"C:\Windows\G08O75J8A20W7TE7S86.exe"
5⤵
PID:7864

C:\Program Files (x86)\O35S70Y0R72N5EC7D37.exe
"C:\Program Files (x86)\O35S70Y0R72N5EC7D37.exe"
3⤵
- Executes dropped EXE
PID:1104

C:\H2.exe
"C:\H2.exe"
4⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:1676

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2384

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2140

C:\$Recycle.Bin\E56H47Y4P11V6KY3Z53.exe
"C:\$Recycle.Bin\E56H47Y4P11V6KY3Z53.exe"
5⤵
PID:2320

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3096

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10356

C:\Documents and Settings\G40W20Z2S67P6ZZ1O21.exe
"C:\Documents and Settings\G40W20Z2S67P6ZZ1O21.exe"
5⤵
PID:4612

C:\MSOCache\F00D26I5Q72U0DF7I23.exe
"C:\MSOCache\F00D26I5Q72U0DF7I23.exe"
5⤵
PID:5156

C:\H2.exe
"C:\H2.exe"
6⤵
PID:10780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected
5⤵
PID:5840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5840 CREDAT:275457 /prefetch:2
6⤵
PID:9416

C:\PerfLogs\O44Z26O3P55O7ZI1G85.exe
"C:\PerfLogs\O44Z26O3P55O7ZI1G85.exe"
5⤵
PID:5876

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9944

C:\Program Files\P06R82H2V67F2JD4N84.exe
"C:\Program Files\P06R82H2V67F2JD4N84.exe"
5⤵
PID:7148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate
5⤵
PID:7964

C:\ProgramData\T42I71V5M21S7HU1D55.exe
"C:\ProgramData\T42I71V5M21S7HU1D55.exe"
3⤵
- Executes dropped EXE
PID:2328

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:2144

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2044

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3008

C:\$Recycle.Bin\Z45L14U6M62W2GW1K15.exe
"C:\$Recycle.Bin\Z45L14U6M62W2GW1K15.exe"
5⤵
PID:4748

C:\Documents and Settings\M11Z27L0C10W4JA7T33.exe
"C:\Documents and Settings\M11Z27L0C10W4JA7T33.exe"
5⤵
PID:4068

C:\MSOCache\O56T34S0T82S0PV4E43.exe
"C:\MSOCache\O56T34S0T82S0PV4E43.exe"
5⤵
PID:10920

C:\PerfLogs\P44M66M2Z72M0JR4Q20.exe
"C:\PerfLogs\P44M66M2Z72M0JR4Q20.exe"
5⤵
PID:6056

C:\Program Files\G43D35P8X41B8VR3F88.exe
"C:\Program Files\G43D35P8X41B8VR3F88.exe"
5⤵
PID:11304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:11424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:7072

C:\Program Files (x86)\G23B08A4I12W6BM6L88.exe
"C:\Program Files (x86)\G23B08A4I12W6BM6L88.exe"
5⤵
PID:5292

C:\Recovery\B15A23V2Z32H7IH1S00.exe
"C:\Recovery\B15A23V2Z32H7IH1S00.exe"
3⤵
- Executes dropped EXE
PID:1572

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:3032

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3508

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3556

C:\$Recycle.Bin\H14O75X2I74N4XO8R86.exe
"C:\$Recycle.Bin\H14O75X2I74N4XO8R86.exe"
5⤵
PID:2664

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:9692

C:\Documents and Settings\N27L05R8G54B1WG5O34.exe
"C:\Documents and Settings\N27L05R8G54B1WG5O34.exe"
5⤵
PID:1048

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6412

C:\MSOCache\N12F72N6M84U4VI0S33.exe
"C:\MSOCache\N12F72N6M84U4VI0S33.exe"
5⤵
PID:4736

C:\H2.exe
"C:\H2.exe"
6⤵
PID:7476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:11540

C:\PerfLogs\E52A25Y6S14M4EX6H37.exe
"C:\PerfLogs\E52A25Y6S14M4EX6H37.exe"
5⤵
PID:4836

C:\H2.exe
"C:\H2.exe"
6⤵
PID:1744

C:\Program Files\C28G71T0F50M7LE0W18.exe
"C:\Program Files\C28G71T0F50M7LE0W18.exe"
5⤵
PID:4936

C:\Program Files (x86)\P50D11L7C17W4YT3P25.exe
"C:\Program Files (x86)\P50D11L7C17W4YT3P25.exe"
5⤵
PID:5004

C:\ProgramData\U77Y74X4D63F7SF3Y33.exe
"C:\ProgramData\U77Y74X4D63F7SF3Y33.exe"
5⤵
PID:1964

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus
5⤵
PID:4972

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:275457 /prefetch:2
6⤵
PID:4536

C:\Recovery\L72X53U7H02F5EI5F45.exe
"C:\Recovery\L72X53U7H02F5EI5F45.exe"
5⤵
PID:4512

C:\Users\Z03S88V8P57N3CO5S27.exe
"C:\Users\Z03S88V8P57N3CO5S27.exe"
5⤵
PID:2620

C:\Windows\J20G18F6C30B6WI1P42.exe
"C:\Windows\J20G18F6C30B6WI1P42.exe"
5⤵
PID:6608

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected
5⤵
PID:6676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe
5⤵
PID:9188

C:\Users\V52M26K4H05C0VC5V83.exe
"C:\Users\V52M26K4H05C0VC5V83.exe"
3⤵
- Executes dropped EXE
PID:708

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:1744

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3324

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3532

C:\$Recycle.Bin\T32H37K6O10I2MY1J00.exe
"C:\$Recycle.Bin\T32H37K6O10I2MY1J00.exe"
5⤵
PID:7360

C:\Documents and Settings\D84Z58Z1P76Y8RH1K54.exe
"C:\Documents and Settings\D84Z58Z1P76Y8RH1K54.exe"
5⤵
PID:7472

C:\MSOCache\Q78J03J4S53U2YU4J64.exe
"C:\MSOCache\Q78J03J4S53U2YU4J64.exe"
5⤵
PID:8228

C:\PerfLogs\A27E25X6Z62R7DO3I78.exe
"C:\PerfLogs\A27E25X6Z62R7DO3I78.exe"
5⤵
PID:8424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:8440

C:\Program Files\M80K45Z4E47H1WU3N60.exe
"C:\Program Files\M80K45Z4E47H1WU3N60.exe"
5⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:9400

C:\Program Files (x86)\S52C87V1G64Q7JO8E47.exe
"C:\Program Files (x86)\S52C87V1G64Q7JO8E47.exe"
5⤵
PID:1284

C:\ProgramData\R34H83C3E58O3HQ3F07.exe
"C:\ProgramData\R34H83C3E58O3HQ3F07.exe"
5⤵
PID:10628

C:\Recovery\D88U10Z6M34M8QS2O07.exe
"C:\Recovery\D88U10Z6M34M8QS2O07.exe"
5⤵
PID:11160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:1548

C:\Users\R50U17F7E86Z3QQ1X30.exe
"C:\Users\R50U17F7E86Z3QQ1X30.exe"
5⤵
PID:1260

C:\Windows\L41L08F3V25W3FM5B35.exe
"C:\Windows\L41L08F3V25W3FM5B35.exe"
3⤵
PID:2320

C:\H2.exe
"C:\H2.exe"
4⤵
PID:480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:2688

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3656

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2344

C:\$Recycle.Bin\Q78J03J4S53U2YU4J64.exe
"C:\$Recycle.Bin\Q78J03J4S53U2YU4J64.exe"
5⤵
PID:9568

C:\Documents and Settings\R47U46C5B58D4CP1X38.exe
"C:\Documents and Settings\R47U46C5B58D4CP1X38.exe"
5⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:2452

C:\MSOCache\C55S20D8J74F4US1X40.exe
"C:\MSOCache\C55S20D8J74F4US1X40.exe"
5⤵
PID:10936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
3⤵
PID:2460

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:472067 /prefetch:2
4⤵
PID:2060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe
3⤵
PID:4120

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4120 CREDAT:275457 /prefetch:2
4⤵
PID:8736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate
3⤵
PID:5560

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5560 CREDAT:275457 /prefetch:2
4⤵
PID:5516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
3⤵
PID:8996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe
3⤵
PID:9964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1492331339-383879826-1413902254-40034604621409914911141351193742244431996279503"
1⤵
PID:868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2146573299-1127421930-1677135656-19359582231606294831-939949093-1939395445-1354855128"
1⤵
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\H2.exe
Filesize
22KB

MD5
b014736055c3a7cf6af257dd7f84af7d

SHA1
d2ac0fb6482c2551a72fac685312c007e3e294d7

SHA256
d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86

SHA512
c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27

Download Submit
memory/708-132-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/792-235-0x0000000001280000-0x000000000128C000-memory.dmp

Filesize
48KB

Download
memory/904-56-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/936-137-0x00000000013D0000-0x00000000013DC000-memory.dmp

Filesize
48KB

Download
memory/1104-95-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1248-140-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1572-124-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/1648-172-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/1740-1-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/1740-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/1816-171-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1928-170-0x0000000001370000-0x000000000137C000-memory.dmp

Filesize
48KB

Download
memory/1964-339-0x0000000001060000-0x000000000106C000-memory.dmp

Filesize
48KB

Download
memory/2016-216-0x0000000001230000-0x000000000123C000-memory.dmp

Filesize
48KB

Download
memory/2068-229-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2092-175-0x0000000001090000-0x000000000109C000-memory.dmp

Filesize
48KB

Download
memory/2172-162-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2320-146-0x0000000001330000-0x000000000133C000-memory.dmp

Filesize
48KB

Download
memory/2320-219-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/2328-119-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/2332-44-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2464-173-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2620-400-0x0000000000F40000-0x0000000000F4C000-memory.dmp

Filesize
48KB

Download
memory/2620-33-0x00000000010D0000-0x00000000010DC000-memory.dmp

Filesize
48KB

Download
memory/2664-142-0x0000000000F20000-0x0000000000F2C000-memory.dmp

Filesize
48KB

Download
memory/2664-226-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2716-30-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-8-0x0000000001170000-0x000000000117C000-memory.dmp

Filesize
48KB

Download
memory/2716-9-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-313-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download
memory/2816-114-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2880-101-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2900-49-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/3064-152-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/3168-174-0x0000000001390000-0x000000000139C000-memory.dmp

Filesize
48KB

Download
memory/3472-206-0x00000000013E0000-0x00000000013EC000-memory.dmp

Filesize
48KB

Download
memory/3540-188-0x0000000001190000-0x000000000119C000-memory.dmp

Filesize
48KB

Download
memory/3560-325-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/3564-353-0x0000000001220000-0x000000000122C000-memory.dmp

Filesize
48KB

Download
memory/3740-317-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/3820-190-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/3896-192-0x0000000001100000-0x000000000110C000-memory.dmp

Filesize
48KB

Download
memory/3912-191-0x0000000001150000-0x000000000115C000-memory.dmp

Filesize
48KB

Download
memory/4208-397-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download
memory/4212-322-0x0000000001110000-0x000000000111C000-memory.dmp

Filesize
48KB

Download
memory/4348-344-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/4380-326-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/4384-324-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/4736-298-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/4836-285-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/5156-362-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/5164-377-0x00000000010B0000-0x00000000010BC000-memory.dmp

Filesize
48KB

Download
memory/5876-380-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/6608-416-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/7864-417-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download