Analysis
-
max time kernel
2s -
max time network
264s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
H2 (2).exe
Resource
win7-20240220-en
General
-
Target
H2 (2).exe
-
Size
22KB
-
MD5
b014736055c3a7cf6af257dd7f84af7d
-
SHA1
d2ac0fb6482c2551a72fac685312c007e3e294d7
-
SHA256
d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86
-
SHA512
c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27
-
SSDEEP
384:Pl5PmikkxZNVUwSymwfixj1VUVIx2b4KJBy/V+wTMUufgqflVW9s:PlxkkDmp9UbdvQMSAlU9
Malware Config
Signatures
-
Processes:
H2.exeH2.exeH2.exeH2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe -
Disables RegEdit via registry modification 4 IoCs
Processes:
H2.exeH2.exeH2.exeH2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe -
Possible privilege escalation attempt 56 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 3492 takeown.exe 3448 takeown.exe 5552 icacls.exe 3308 icacls.exe 1832 icacls.exe 3500 takeown.exe 3464 icacls.exe 1756 takeown.exe 1028 takeown.exe 10060 icacls.exe 10356 takeown.exe 3324 takeown.exe 5188 takeown.exe 7952 icacls.exe 7280 icacls.exe 2384 icacls.exe 2576 takeown.exe 2044 takeown.exe 1300 takeown.exe 896 takeown.exe 6900 icacls.exe 7796 icacls.exe 3088 takeown.exe 2292 takeown.exe 920 takeown.exe 2140 icacls.exe 3556 icacls.exe 3676 icacls.exe 2344 icacls.exe 2300 takeown.exe 4764 icacls.exe 4224 icacls.exe 3532 icacls.exe 1120 takeown.exe 5864 takeown.exe 7492 takeown.exe 2320 takeown.exe 1940 takeown.exe 3616 takeown.exe 3608 takeown.exe 2436 takeown.exe 4760 icacls.exe 3656 takeown.exe 5720 icacls.exe 2152 icacls.exe 2560 takeown.exe 1520 icacls.exe 3508 takeown.exe 6068 icacls.exe 788 icacls.exe 2316 takeown.exe 2384 takeown.exe 3260 takeown.exe 2668 icacls.exe 3008 icacls.exe 2500 takeown.exe -
Executes dropped EXE 19 IoCs
Processes:
H2.exeN64F43K1J70W0XF2M53.exeH2.exeV38X85K7V81L8YS3A17.exeH2.exeP75J88Z0E64G2LN7D81.exeH2.exeL27B52A2L11N4YX2L57.exeG62B37Y2F62X5DP6O73.exeH2.exeO35S70Y0R72N5EC7D37.exeV02X31P8S06N5NS7R48.exeT42I71V5M21S7HU1D55.exeB15A23V2Z32H7IH1S00.exeV52M26K4H05C0VC5V83.exeH2.exeU01R45U3P16E3XX8M31.exeH2.exeH2.exepid process 2716 H2.exe 2620 N64F43K1J70W0XF2M53.exe 2212 H2.exe 2332 V38X85K7V81L8YS3A17.exe 2740 H2.exe 2900 P75J88Z0E64G2LN7D81.exe 2004 H2.exe 904 L27B52A2L11N4YX2L57.exe 2880 G62B37Y2F62X5DP6O73.exe 1584 H2.exe 1104 O35S70Y0R72N5EC7D37.exe 2816 V02X31P8S06N5NS7R48.exe 2328 T42I71V5M21S7HU1D55.exe 1572 B15A23V2Z32H7IH1S00.exe 708 V52M26K4H05C0VC5V83.exe 1932 H2.exe 936 U01R45U3P16E3XX8M31.exe 2288 H2.exe 1616 H2.exe -
Loads dropped DLL 11 IoCs
Processes:
H2.exeH2.exepid process 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2740 H2.exe 2716 H2.exe 2716 H2.exe 2740 H2.exe 2716 H2.exe -
Modifies file permissions 1 TTPs 56 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 2560 takeown.exe 2576 takeown.exe 1940 takeown.exe 5188 takeown.exe 2300 takeown.exe 6900 icacls.exe 2668 icacls.exe 6068 icacls.exe 920 takeown.exe 2140 icacls.exe 3676 icacls.exe 7796 icacls.exe 10356 takeown.exe 2292 takeown.exe 3532 icacls.exe 3260 takeown.exe 3088 takeown.exe 7952 icacls.exe 2316 takeown.exe 3008 icacls.exe 5864 takeown.exe 2500 takeown.exe 788 icacls.exe 2384 takeown.exe 3492 takeown.exe 4760 icacls.exe 1520 icacls.exe 3656 takeown.exe 3308 icacls.exe 896 takeown.exe 4764 icacls.exe 2044 takeown.exe 1756 takeown.exe 2436 takeown.exe 5552 icacls.exe 2152 icacls.exe 4224 icacls.exe 3448 takeown.exe 7492 takeown.exe 3508 takeown.exe 3616 takeown.exe 3556 icacls.exe 3608 takeown.exe 1028 takeown.exe 2344 icacls.exe 3500 takeown.exe 10060 icacls.exe 7280 icacls.exe 2320 takeown.exe 1832 icacls.exe 2384 icacls.exe 3464 icacls.exe 1300 takeown.exe 1120 takeown.exe 3324 takeown.exe 5720 icacls.exe -
Processes:
H2.exeH2.exeH2.exeH2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe -
Drops file in Program Files directory 4 IoCs
Processes:
H2.exeH2.exedescription ioc process File created C:\Program Files (x86)\O35S70Y0R72N5EC7D37.exe H2.exe File created C:\Program Files\A06C73C8G47F7KU5F60.exe H2.exe File created C:\Program Files (x86)\A06C73C8G47F7KU5F60.exe H2.exe File created C:\Program Files\G62B37Y2F62X5DP6O73.exe H2.exe -
Drops file in Windows directory 1 IoCs
Processes:
H2.exedescription ioc process File created C:\Windows\A06C73C8G47F7KU5F60.exe H2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
H2.exepid process 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe 2716 H2.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
H2.exetakeown.exeH2.exeH2.exetakeown.exeH2.exeH2.exedescription pid process Token: SeDebugPrivilege 2716 H2.exe Token: SeDebugPrivilege 2716 H2.exe Token: SeTakeOwnershipPrivilege 2560 takeown.exe Token: SeDebugPrivilege 2212 H2.exe Token: SeDebugPrivilege 2212 H2.exe Token: SeDebugPrivilege 2740 H2.exe Token: SeTakeOwnershipPrivilege 2316 takeown.exe Token: SeDebugPrivilege 2740 H2.exe Token: SeDebugPrivilege 2004 H2.exe Token: SeDebugPrivilege 2004 H2.exe Token: SeDebugPrivilege 1584 H2.exe Token: SeDebugPrivilege 1584 H2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
H2 (2).exeH2.execmd.exeN64F43K1J70W0XF2M53.exeH2.exeV38X85K7V81L8YS3A17.execmd.exeH2.exeP75J88Z0E64G2LN7D81.execmd.exedescription pid process target process PID 1740 wrote to memory of 2716 1740 H2 (2).exe H2.exe PID 1740 wrote to memory of 2716 1740 H2 (2).exe H2.exe PID 1740 wrote to memory of 2716 1740 H2 (2).exe H2.exe PID 1740 wrote to memory of 2716 1740 H2 (2).exe H2.exe PID 2716 wrote to memory of 3024 2716 H2.exe cmd.exe PID 2716 wrote to memory of 3024 2716 H2.exe cmd.exe PID 2716 wrote to memory of 3024 2716 H2.exe cmd.exe PID 2716 wrote to memory of 3024 2716 H2.exe cmd.exe PID 3024 wrote to memory of 2560 3024 cmd.exe takeown.exe PID 3024 wrote to memory of 2560 3024 cmd.exe takeown.exe PID 3024 wrote to memory of 2560 3024 cmd.exe takeown.exe PID 3024 wrote to memory of 2560 3024 cmd.exe takeown.exe PID 3024 wrote to memory of 2668 3024 cmd.exe icacls.exe PID 3024 wrote to memory of 2668 3024 cmd.exe icacls.exe PID 3024 wrote to memory of 2668 3024 cmd.exe icacls.exe PID 3024 wrote to memory of 2668 3024 cmd.exe icacls.exe PID 2716 wrote to memory of 2620 2716 H2.exe N64F43K1J70W0XF2M53.exe PID 2716 wrote to memory of 2620 2716 H2.exe N64F43K1J70W0XF2M53.exe PID 2716 wrote to memory of 2620 2716 H2.exe N64F43K1J70W0XF2M53.exe PID 2716 wrote to memory of 2620 2716 H2.exe N64F43K1J70W0XF2M53.exe PID 2620 wrote to memory of 2212 2620 N64F43K1J70W0XF2M53.exe H2.exe PID 2620 wrote to memory of 2212 2620 N64F43K1J70W0XF2M53.exe H2.exe PID 2620 wrote to memory of 2212 2620 N64F43K1J70W0XF2M53.exe H2.exe PID 2620 wrote to memory of 2212 2620 N64F43K1J70W0XF2M53.exe H2.exe PID 2716 wrote to memory of 2332 2716 H2.exe V38X85K7V81L8YS3A17.exe PID 2716 wrote to memory of 2332 2716 H2.exe V38X85K7V81L8YS3A17.exe PID 2716 wrote to memory of 2332 2716 H2.exe V38X85K7V81L8YS3A17.exe PID 2716 wrote to memory of 2332 2716 H2.exe V38X85K7V81L8YS3A17.exe PID 2212 wrote to memory of 1676 2212 H2.exe cmd.exe PID 2212 wrote to memory of 1676 2212 H2.exe cmd.exe PID 2212 wrote to memory of 1676 2212 H2.exe cmd.exe PID 2212 wrote to memory of 1676 2212 H2.exe cmd.exe PID 2716 wrote to memory of 2900 2716 H2.exe P75J88Z0E64G2LN7D81.exe PID 2716 wrote to memory of 2900 2716 H2.exe P75J88Z0E64G2LN7D81.exe PID 2716 wrote to memory of 2900 2716 H2.exe P75J88Z0E64G2LN7D81.exe PID 2716 wrote to memory of 2900 2716 H2.exe P75J88Z0E64G2LN7D81.exe PID 2332 wrote to memory of 2740 2332 V38X85K7V81L8YS3A17.exe H2.exe PID 2332 wrote to memory of 2740 2332 V38X85K7V81L8YS3A17.exe H2.exe PID 2332 wrote to memory of 2740 2332 V38X85K7V81L8YS3A17.exe H2.exe PID 2332 wrote to memory of 2740 2332 V38X85K7V81L8YS3A17.exe H2.exe PID 1676 wrote to memory of 2316 1676 cmd.exe takeown.exe PID 1676 wrote to memory of 2316 1676 cmd.exe takeown.exe PID 1676 wrote to memory of 2316 1676 cmd.exe takeown.exe PID 1676 wrote to memory of 2316 1676 cmd.exe takeown.exe PID 2740 wrote to memory of 832 2740 H2.exe cmd.exe PID 2740 wrote to memory of 832 2740 H2.exe cmd.exe PID 2740 wrote to memory of 832 2740 H2.exe cmd.exe PID 2740 wrote to memory of 832 2740 H2.exe cmd.exe PID 2900 wrote to memory of 2004 2900 P75J88Z0E64G2LN7D81.exe H2.exe PID 2900 wrote to memory of 2004 2900 P75J88Z0E64G2LN7D81.exe H2.exe PID 2900 wrote to memory of 2004 2900 P75J88Z0E64G2LN7D81.exe H2.exe PID 2900 wrote to memory of 2004 2900 P75J88Z0E64G2LN7D81.exe H2.exe PID 2716 wrote to memory of 904 2716 H2.exe L27B52A2L11N4YX2L57.exe PID 2716 wrote to memory of 904 2716 H2.exe L27B52A2L11N4YX2L57.exe PID 2716 wrote to memory of 904 2716 H2.exe L27B52A2L11N4YX2L57.exe PID 2716 wrote to memory of 904 2716 H2.exe L27B52A2L11N4YX2L57.exe PID 832 wrote to memory of 2320 832 cmd.exe L41L08F3V25W3FM5B35.exe PID 832 wrote to memory of 2320 832 cmd.exe L41L08F3V25W3FM5B35.exe PID 832 wrote to memory of 2320 832 cmd.exe L41L08F3V25W3FM5B35.exe PID 832 wrote to memory of 2320 832 cmd.exe L41L08F3V25W3FM5B35.exe PID 832 wrote to memory of 1832 832 cmd.exe icacls.exe PID 832 wrote to memory of 1832 832 cmd.exe icacls.exe PID 832 wrote to memory of 1832 832 cmd.exe icacls.exe PID 832 wrote to memory of 1832 832 cmd.exe icacls.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
H2.exeH2.exeH2.exeH2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\H2 (2).exe"C:\Users\Admin\AppData\Local\Temp\H2 (2).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\H2.exe"C:\H2.exe"2⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System324⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\N64F43K1J70W0XF2M53.exe"C:\$Recycle.Bin\N64F43K1J70W0XF2M53.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\H2.exe"C:\H2.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Documents and Settings\V38X85K7V81L8YS3A17.exe"C:\Documents and Settings\V38X85K7V81L8YS3A17.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\H2.exe"C:\H2.exe"4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\V02X31P8S06N5NS7R48.exe"C:\$Recycle.Bin\V02X31P8S06N5NS7R48.exe"5⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus%20builder%20legit%20free%20download%20no%20virus7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method7⤵
-
C:\Documents and Settings\U01R45U3P16E3XX8M31.exe"C:\Documents and Settings\U01R45U3P16E3XX8M31.exe"5⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\P57G70B0U52O2KN2O46.exe"C:\$Recycle.Bin\P57G70B0U52O2KN2O46.exe"7⤵
-
C:\Documents and Settings\R06B46W0A85M4ZM6N88.exe"C:\Documents and Settings\R06B46W0A85M4ZM6N88.exe"7⤵
-
C:\MSOCache\Q55U01I4Y62A1BR5T36.exe"C:\MSOCache\Q55U01I4Y62A1BR5T36.exe"7⤵
-
C:\PerfLogs\N08B01L3W65T7OL4P02.exe"C:\PerfLogs\N08B01L3W65T7OL4P02.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit7⤵
-
C:\MSOCache\D77T56F6J25H4EZ5N82.exe"C:\MSOCache\D77T56F6J25H4EZ5N82.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\P68L53Q0Z68S2AI8W35.exe"C:\$Recycle.Bin\P68L53Q0Z68S2AI8W35.exe"7⤵
-
C:\Documents and Settings\Y80N33P8I21R0WJ4P43.exe"C:\Documents and Settings\Y80N33P8I21R0WJ4P43.exe"7⤵
-
C:\MSOCache\D88U10Z6M34M8QS2O07.exe"C:\MSOCache\D88U10Z6M34M8QS2O07.exe"7⤵
-
C:\PerfLogs\T65S27A6X45A7OJ4T24.exe"C:\PerfLogs\T65S27A6X45A7OJ4T24.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\U82V74Y5W12Z7SV5A74.exe"C:\$Recycle.Bin\U82V74Y5W12Z7SV5A74.exe"7⤵
-
C:\Documents and Settings\L47U17V0N63U8GD6B61.exe"C:\Documents and Settings\L47U17V0N63U8GD6B61.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe7⤵
-
C:\MSOCache\I33L08N0D87Z4NI8F68.exe"C:\MSOCache\I33L08N0D87Z4NI8F68.exe"7⤵
-
C:\PerfLogs\C83Z58U1F82S5DO5N88.exe"C:\PerfLogs\C83Z58U1F82S5DO5N88.exe"7⤵
-
C:\Program Files\L43L23L6Z21E1EA7K33.exe"C:\Program Files\L43L23L6Z21E1EA7K33.exe"7⤵
-
C:\Program Files (x86)\W85B67L3R51C1VR1C27.exe"C:\Program Files (x86)\W85B67L3R51C1VR1C27.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit7⤵
-
C:\ProgramData\O04O08L6F56Q4ZB5I02.exe"C:\ProgramData\O04O08L6F56Q4ZB5I02.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected7⤵
-
C:\Program Files\L52Q61U4A33A3WG3J24.exe"C:\Program Files\L52Q61U4A33A3WG3J24.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\C33E32Z1P80X2GG5J48.exe"C:\$Recycle.Bin\C33E32Z1P80X2GG5J48.exe"7⤵
-
C:\Documents and Settings\Q43B75V5T16E5JV8X82.exe"C:\Documents and Settings\Q43B75V5T16E5JV8X82.exe"7⤵
-
C:\Program Files (x86)\M24I72Y3O43W7TX4H87.exe"C:\Program Files (x86)\M24I72Y3O43W7TX4H87.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe"C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe"7⤵
-
C:\ProgramData\X57M34L8Y24I4YU7W53.exe"C:\ProgramData\X57M34L8Y24I4YU7W53.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\U80Y44N7P55R5EP4Z04.exe"C:\$Recycle.Bin\U80Y44N7P55R5EP4Z04.exe"7⤵
-
C:\Recovery\X60R07B8D31M4OO5E42.exe"C:\Recovery\X60R07B8D31M4OO5E42.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\S86J27D0E12S5CS7R63.exe"C:\$Recycle.Bin\S86J27D0E12S5CS7R63.exe"7⤵
-
C:\Users\U24V38N7S75G7IO5Y05.exe"C:\Users\U24V38N7S75G7IO5Y05.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\P25J32I8L64M3JE6S77.exe"C:\$Recycle.Bin\P25J32I8L64M3JE6S77.exe"7⤵
-
C:\Windows\W82P05Y7D10F6JL2L08.exe"C:\Windows\W82P05Y7D10F6JL2L08.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus%20builder%20legit%20free%20download%20no%20virus5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3504 CREDAT:275457 /prefetch:26⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4696 CREDAT:275457 /prefetch:26⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus5⤵
-
C:\MSOCache\P75J88Z0E64G2LN7D81.exe"C:\MSOCache\P75J88Z0E64G2LN7D81.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\H2.exe"C:\H2.exe"4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\T03Y67Q0C20H3PE8H00.exe"C:\$Recycle.Bin\T03Y67Q0C20H3PE8H00.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=mcafee%20vs%20norton%202024%20free7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus7⤵
-
C:\Documents and Settings\U40V06O1S43J3SP2E83.exe"C:\Documents and Settings\U40V06O1S43J3SP2E83.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\D47M74R5V05K4MF2Q47.exe"C:\$Recycle.Bin\D47M74R5V05K4MF2Q47.exe"7⤵
-
C:\Documents and Settings\A65E54B3D76Q2BQ1O57.exe"C:\Documents and Settings\A65E54B3D76Q2BQ1O57.exe"7⤵
-
C:\MSOCache\C77O68U1B46A7NB4R35.exe"C:\MSOCache\C77O68U1B46A7NB4R35.exe"7⤵
-
C:\MSOCache\E63W12N6H48L8JF1B22.exe"C:\MSOCache\E63W12N6H48L8JF1B22.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\K11M12O3N84Z6KL0V20.exe"C:\$Recycle.Bin\K11M12O3N84Z6KL0V20.exe"7⤵
-
C:\PerfLogs\U26Z02C8X83L7YI2G84.exe"C:\PerfLogs\U26Z02C8X83L7YI2G84.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Documents and Settings\S51U18J8O71F6EJ6U06.exe"C:\Documents and Settings\S51U18J8O71F6EJ6U06.exe"7⤵
-
C:\Program Files\W20V46O2I84M2KH6Z75.exe"C:\Program Files\W20V46O2I84M2KH6Z75.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\K18T32L3Q26H0FL3S50.exe"C:\$Recycle.Bin\K18T32L3Q26H0FL3S50.exe"7⤵
-
C:\Program Files (x86)\S57R15E2U62V8DK1J43.exe"C:\Program Files (x86)\S57R15E2U62V8DK1J43.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\ProgramData\W80W25V8G42O1EL5H38.exe"C:\ProgramData\W80W25V8G42O1EL5H38.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Recovery\C80J10L4U07S8VP7O08.exe"C:\Recovery\C80J10L4U07S8VP7O08.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Users\B56U23B7Z05Y7LK6B50.exe"C:\Users\B56U23B7Z05Y7LK6B50.exe"5⤵
-
C:\Windows\J07E52M7J18D7TX7K16.exe"C:\Windows\J07E52M7J18D7TX7K16.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6628 CREDAT:275457 /prefetch:26⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%205%20mobile%20apk%20no%20virus%20free%20download5⤵
-
C:\PerfLogs\L27B52A2L11N4YX2L57.exe"C:\PerfLogs\L27B52A2L11N4YX2L57.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\V65W63O5S20L8CQ0L61.exe"C:\$Recycle.Bin\V65W63O5S20L8CQ0L61.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites7⤵
-
C:\Documents and Settings\P05A55A2R20X5OC4P08.exe"C:\Documents and Settings\P05A55A2R20X5OC4P08.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\S51U18J8O71F6EJ6U06.exe"C:\$Recycle.Bin\S51U18J8O71F6EJ6U06.exe"7⤵
-
C:\MSOCache\F45O23Q6U48G3GW2A75.exe"C:\MSOCache\F45O23Q6U48G3GW2A75.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe"C:\$Recycle.Bin\S74E54O0Z05O5LY1K74.exe"7⤵
-
C:\PerfLogs\T35N54V6M47V1MQ5Y73.exe"C:\PerfLogs\T35N54V6M47V1MQ5Y73.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\O40O38A2E55H1LN8J53.exe"C:\Program Files\O40O38A2E55H1LN8J53.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files (x86)\V55A86A5D84M4XJ6R76.exe"C:\Program Files (x86)\V55A86A5D84M4XJ6R76.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\ProgramData\Q41H23B8X56E3HE4S07.exe"C:\ProgramData\Q41H23B8X56E3HE4S07.exe"5⤵
-
C:\Recovery\I00L75I4W22G7MF8F76.exe"C:\Recovery\I00L75I4W22G7MF8F76.exe"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6096 CREDAT:275457 /prefetch:26⤵
-
C:\Users\S04E82K8Y28D6AM8A67.exe"C:\Users\S04E82K8Y28D6AM8A67.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\U48I50F1R83N1XX5U80.exe"C:\Windows\U48I50F1R83N1XX5U80.exe"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6264 CREDAT:275457 /prefetch:26⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6400 CREDAT:275457 /prefetch:26⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6584 CREDAT:275457 /prefetch:26⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6724 CREDAT:275457 /prefetch:26⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files\G62B37Y2F62X5DP6O73.exe"C:\Program Files\G62B37Y2F62X5DP6O73.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\D23Z41A0M02K6EX3X45.exe"C:\$Recycle.Bin\D23Z41A0M02K6EX3X45.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method7⤵
-
C:\Documents and Settings\W80W25V8G42O1EL5H38.exe"C:\Documents and Settings\W80W25V8G42O1EL5H38.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\MSOCache\J30F57A7L48K2CV7E54.exe"C:\MSOCache\J30F57A7L48K2CV7E54.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\PerfLogs\Z51T25A3J76S3IR4B80.exe"C:\PerfLogs\Z51T25A3J76S3IR4B80.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\M56Q78R7G67A4KF8N28.exe"C:\Program Files\M56Q78R7G67A4KF8N28.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=club%20penguin5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:275457 /prefetch:26⤵
-
C:\Program Files (x86)\Q48K85D0H46H2UR2Q57.exe"C:\Program Files (x86)\Q48K85D0H46H2UR2Q57.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:275457 /prefetch:26⤵
-
C:\ProgramData\N75U70L5Z45H3YP7A53.exe"C:\ProgramData\N75U70L5Z45H3YP7A53.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6768 CREDAT:275457 /prefetch:26⤵
-
C:\Recovery\X80V36U1P27H5WL4F46.exe"C:\Recovery\X80V36U1P27H5WL4F46.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Users\B34O16B8W76J3ZT8Z24.exe"C:\Users\B34O16B8W76J3ZT8Z24.exe"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe5⤵
-
C:\Windows\G08O75J8A20W7TE7S86.exe"C:\Windows\G08O75J8A20W7TE7S86.exe"5⤵
-
C:\Program Files (x86)\O35S70Y0R72N5EC7D37.exe"C:\Program Files (x86)\O35S70Y0R72N5EC7D37.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\E56H47Y4P11V6KY3Z53.exe"C:\$Recycle.Bin\E56H47Y4P11V6KY3Z53.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Documents and Settings\G40W20Z2S67P6ZZ1O21.exe"C:\Documents and Settings\G40W20Z2S67P6ZZ1O21.exe"5⤵
-
C:\MSOCache\F00D26I5Q72U0DF7I23.exe"C:\MSOCache\F00D26I5Q72U0DF7I23.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5840 CREDAT:275457 /prefetch:26⤵
-
C:\PerfLogs\O44Z26O3P55O7ZI1G85.exe"C:\PerfLogs\O44Z26O3P55O7ZI1G85.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\P06R82H2V67F2JD4N84.exe"C:\Program Files\P06R82H2V67F2JD4N84.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate5⤵
-
C:\ProgramData\T42I71V5M21S7HU1D55.exe"C:\ProgramData\T42I71V5M21S7HU1D55.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\Z45L14U6M62W2GW1K15.exe"C:\$Recycle.Bin\Z45L14U6M62W2GW1K15.exe"5⤵
-
C:\Documents and Settings\M11Z27L0C10W4JA7T33.exe"C:\Documents and Settings\M11Z27L0C10W4JA7T33.exe"5⤵
-
C:\MSOCache\O56T34S0T82S0PV4E43.exe"C:\MSOCache\O56T34S0T82S0PV4E43.exe"5⤵
-
C:\PerfLogs\P44M66M2Z72M0JR4Q20.exe"C:\PerfLogs\P44M66M2Z72M0JR4Q20.exe"5⤵
-
C:\Program Files\G43D35P8X41B8VR3F88.exe"C:\Program Files\G43D35P8X41B8VR3F88.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex5⤵
-
C:\Program Files (x86)\G23B08A4I12W6BM6L88.exe"C:\Program Files (x86)\G23B08A4I12W6BM6L88.exe"5⤵
-
C:\Recovery\B15A23V2Z32H7IH1S00.exe"C:\Recovery\B15A23V2Z32H7IH1S00.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\H14O75X2I74N4XO8R86.exe"C:\$Recycle.Bin\H14O75X2I74N4XO8R86.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Documents and Settings\N27L05R8G54B1WG5O34.exe"C:\Documents and Settings\N27L05R8G54B1WG5O34.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\MSOCache\N12F72N6M84U4VI0S33.exe"C:\MSOCache\N12F72N6M84U4VI0S33.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\PerfLogs\E52A25Y6S14M4EX6H37.exe"C:\PerfLogs\E52A25Y6S14M4EX6H37.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\C28G71T0F50M7LE0W18.exe"C:\Program Files\C28G71T0F50M7LE0W18.exe"5⤵
-
C:\Program Files (x86)\P50D11L7C17W4YT3P25.exe"C:\Program Files (x86)\P50D11L7C17W4YT3P25.exe"5⤵
-
C:\ProgramData\U77Y74X4D63F7SF3Y33.exe"C:\ProgramData\U77Y74X4D63F7SF3Y33.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:275457 /prefetch:26⤵
-
C:\Recovery\L72X53U7H02F5EI5F45.exe"C:\Recovery\L72X53U7H02F5EI5F45.exe"5⤵
-
C:\Users\Z03S88V8P57N3CO5S27.exe"C:\Users\Z03S88V8P57N3CO5S27.exe"5⤵
-
C:\Windows\J20G18F6C30B6WI1P42.exe"C:\Windows\J20G18F6C30B6WI1P42.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe5⤵
-
C:\Users\V52M26K4H05C0VC5V83.exe"C:\Users\V52M26K4H05C0VC5V83.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\T32H37K6O10I2MY1J00.exe"C:\$Recycle.Bin\T32H37K6O10I2MY1J00.exe"5⤵
-
C:\Documents and Settings\D84Z58Z1P76Y8RH1K54.exe"C:\Documents and Settings\D84Z58Z1P76Y8RH1K54.exe"5⤵
-
C:\MSOCache\Q78J03J4S53U2YU4J64.exe"C:\MSOCache\Q78J03J4S53U2YU4J64.exe"5⤵
-
C:\PerfLogs\A27E25X6Z62R7DO3I78.exe"C:\PerfLogs\A27E25X6Z62R7DO3I78.exe"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex5⤵
-
C:\Program Files\M80K45Z4E47H1WU3N60.exe"C:\Program Files\M80K45Z4E47H1WU3N60.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files (x86)\S52C87V1G64Q7JO8E47.exe"C:\Program Files (x86)\S52C87V1G64Q7JO8E47.exe"5⤵
-
C:\ProgramData\R34H83C3E58O3HQ3F07.exe"C:\ProgramData\R34H83C3E58O3HQ3F07.exe"5⤵
-
C:\Recovery\D88U10Z6M34M8QS2O07.exe"C:\Recovery\D88U10Z6M34M8QS2O07.exe"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge5⤵
-
C:\Users\R50U17F7E86Z3QQ1X30.exe"C:\Users\R50U17F7E86Z3QQ1X30.exe"5⤵
-
C:\Windows\L41L08F3V25W3FM5B35.exe"C:\Windows\L41L08F3V25W3FM5B35.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\Q78J03J4S53U2YU4J64.exe"C:\$Recycle.Bin\Q78J03J4S53U2YU4J64.exe"5⤵
-
C:\Documents and Settings\R47U46C5B58D4CP1X38.exe"C:\Documents and Settings\R47U46C5B58D4CP1X38.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\MSOCache\C55S20D8J74F4US1X40.exe"C:\MSOCache\C55S20D8J74F4US1X40.exe"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge3⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:472067 /prefetch:24⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe3⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4120 CREDAT:275457 /prefetch:24⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate3⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5560 CREDAT:275457 /prefetch:24⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe3⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1492331339-383879826-1413902254-40034604621409914911141351193742244431996279503"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2146573299-1127421930-1677135656-19359582231606294831-939949093-1939395445-1354855128"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\H2.exeFilesize
22KB
MD5b014736055c3a7cf6af257dd7f84af7d
SHA1d2ac0fb6482c2551a72fac685312c007e3e294d7
SHA256d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86
SHA512c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27
-
memory/708-132-0x0000000000D50000-0x0000000000D5C000-memory.dmpFilesize
48KB
-
memory/792-235-0x0000000001280000-0x000000000128C000-memory.dmpFilesize
48KB
-
memory/904-56-0x0000000000EA0000-0x0000000000EAC000-memory.dmpFilesize
48KB
-
memory/936-137-0x00000000013D0000-0x00000000013DC000-memory.dmpFilesize
48KB
-
memory/1104-95-0x00000000000E0000-0x00000000000EC000-memory.dmpFilesize
48KB
-
memory/1248-140-0x0000000000E90000-0x0000000000E9C000-memory.dmpFilesize
48KB
-
memory/1572-124-0x0000000000290000-0x000000000029C000-memory.dmpFilesize
48KB
-
memory/1648-172-0x0000000000320000-0x000000000032C000-memory.dmpFilesize
48KB
-
memory/1740-1-0x0000000000870000-0x000000000087C000-memory.dmpFilesize
48KB
-
memory/1740-0-0x000000007456E000-0x000000007456F000-memory.dmpFilesize
4KB
-
memory/1816-171-0x0000000000370000-0x000000000037C000-memory.dmpFilesize
48KB
-
memory/1928-170-0x0000000001370000-0x000000000137C000-memory.dmpFilesize
48KB
-
memory/1964-339-0x0000000001060000-0x000000000106C000-memory.dmpFilesize
48KB
-
memory/2016-216-0x0000000001230000-0x000000000123C000-memory.dmpFilesize
48KB
-
memory/2068-229-0x0000000000B00000-0x0000000000B0C000-memory.dmpFilesize
48KB
-
memory/2092-175-0x0000000001090000-0x000000000109C000-memory.dmpFilesize
48KB
-
memory/2172-162-0x0000000000230000-0x000000000023C000-memory.dmpFilesize
48KB
-
memory/2320-146-0x0000000001330000-0x000000000133C000-memory.dmpFilesize
48KB
-
memory/2320-219-0x0000000000F10000-0x0000000000F1C000-memory.dmpFilesize
48KB
-
memory/2328-119-0x0000000000190000-0x000000000019C000-memory.dmpFilesize
48KB
-
memory/2332-44-0x0000000000E10000-0x0000000000E1C000-memory.dmpFilesize
48KB
-
memory/2464-173-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/2620-400-0x0000000000F40000-0x0000000000F4C000-memory.dmpFilesize
48KB
-
memory/2620-33-0x00000000010D0000-0x00000000010DC000-memory.dmpFilesize
48KB
-
memory/2664-142-0x0000000000F20000-0x0000000000F2C000-memory.dmpFilesize
48KB
-
memory/2664-226-0x0000000000CD0000-0x0000000000CDC000-memory.dmpFilesize
48KB
-
memory/2716-30-0x0000000074560000-0x0000000074C4E000-memory.dmpFilesize
6.9MB
-
memory/2716-8-0x0000000001170000-0x000000000117C000-memory.dmpFilesize
48KB
-
memory/2716-9-0x0000000074560000-0x0000000074C4E000-memory.dmpFilesize
6.9MB
-
memory/2804-313-0x0000000000F00000-0x0000000000F0C000-memory.dmpFilesize
48KB
-
memory/2816-114-0x00000000001F0000-0x00000000001FC000-memory.dmpFilesize
48KB
-
memory/2880-101-0x0000000000A10000-0x0000000000A1C000-memory.dmpFilesize
48KB
-
memory/2900-49-0x0000000000880000-0x000000000088C000-memory.dmpFilesize
48KB
-
memory/3064-152-0x0000000000BD0000-0x0000000000BDC000-memory.dmpFilesize
48KB
-
memory/3168-174-0x0000000001390000-0x000000000139C000-memory.dmpFilesize
48KB
-
memory/3472-206-0x00000000013E0000-0x00000000013EC000-memory.dmpFilesize
48KB
-
memory/3540-188-0x0000000001190000-0x000000000119C000-memory.dmpFilesize
48KB
-
memory/3560-325-0x00000000011C0000-0x00000000011CC000-memory.dmpFilesize
48KB
-
memory/3564-353-0x0000000001220000-0x000000000122C000-memory.dmpFilesize
48KB
-
memory/3740-317-0x00000000008A0000-0x00000000008AC000-memory.dmpFilesize
48KB
-
memory/3820-190-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/3896-192-0x0000000001100000-0x000000000110C000-memory.dmpFilesize
48KB
-
memory/3912-191-0x0000000001150000-0x000000000115C000-memory.dmpFilesize
48KB
-
memory/4208-397-0x0000000001070000-0x000000000107C000-memory.dmpFilesize
48KB
-
memory/4212-322-0x0000000001110000-0x000000000111C000-memory.dmpFilesize
48KB
-
memory/4348-344-0x0000000000970000-0x000000000097C000-memory.dmpFilesize
48KB
-
memory/4380-326-0x0000000000940000-0x000000000094C000-memory.dmpFilesize
48KB
-
memory/4384-324-0x0000000000200000-0x000000000020C000-memory.dmpFilesize
48KB
-
memory/4736-298-0x0000000000280000-0x000000000028C000-memory.dmpFilesize
48KB
-
memory/4836-285-0x0000000000DA0000-0x0000000000DAC000-memory.dmpFilesize
48KB
-
memory/5156-362-0x0000000000300000-0x000000000030C000-memory.dmpFilesize
48KB
-
memory/5164-377-0x00000000010B0000-0x00000000010BC000-memory.dmpFilesize
48KB
-
memory/5876-380-0x00000000012E0000-0x00000000012EC000-memory.dmpFilesize
48KB
-
memory/6608-416-0x0000000000AE0000-0x0000000000AEC000-memory.dmpFilesize
48KB
-
memory/7864-417-0x0000000001020000-0x000000000102C000-memory.dmpFilesize
48KB