d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86

Analysis

max time kernel
116s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 03:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

H2 (2).exe
Size

22KB
MD5

b014736055c3a7cf6af257dd7f84af7d
SHA1

d2ac0fb6482c2551a72fac685312c007e3e294d7
SHA256

d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86
SHA512

c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27
SSDEEP

384:Pl5PmikkxZNVUwSymwfixj1VUVIx2b4KJBy/V+wTMUufgqflVW9s:PlxkkDmp9UbdvQMSAlU9

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

H2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

H2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe

Possible privilege escalation attempt 51 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
3484	takeown.exe
9368	takeown.exe
6576	takeown.exe
4600	takeown.exe
4528	icacls.exe
960	icacls.exe
1440	icacls.exe
10572	takeown.exe
5308	takeown.exe
14476	takeown.exe
1188	icacls.exe
1396	icacls.exe
4344	takeown.exe
6372	takeown.exe
10256	takeown.exe
8472	takeown.exe
9164	takeown.exe
13656	takeown.exe
14672	icacls.exe
12968	icacls.exe
8904	icacls.exe
3512	takeown.exe
4928	icacls.exe
14940	takeown.exe
7536	icacls.exe
4344	icacls.exe
3544	takeown.exe
7444	icacls.exe
10048	icacls.exe
15912	icacls.exe
14064	takeown.exe
1148	icacls.exe
4388	icacls.exe
4044	takeown.exe
10996	icacls.exe
1104	icacls.exe
2920	icacls.exe
4756	takeown.exe
13096	takeown.exe
13296	takeown.exe
5292	takeown.exe
13560	icacls.exe
6104	icacls.exe
1392	takeown.exe
2556	takeown.exe
4424	takeown.exe
15124	takeown.exe
2480	takeown.exe
11540	takeown.exe
1256	icacls.exe
7256	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

H2 (2).exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation H2 (2).exe
Executes dropped EXE 1 IoCs

Processes:

H2.exe

pid process

3468 H2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	H2 (2).exe

Modifies file permissions 1 TTPs 51 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
3544	takeown.exe
7256	icacls.exe
13656	takeown.exe
3484	takeown.exe
4424	takeown.exe
13560	icacls.exe
7444	icacls.exe
1392	takeown.exe
4344	takeown.exe
4344	icacls.exe
1104	icacls.exe
6372	takeown.exe
14476	takeown.exe
2480	takeown.exe
13296	takeown.exe
14940	takeown.exe
15124	takeown.exe
6576	takeown.exe
6104	icacls.exe
4756	takeown.exe
960	icacls.exe
8904	icacls.exe
1148	icacls.exe
4388	icacls.exe
9368	takeown.exe
10572	takeown.exe
7536	icacls.exe
4600	takeown.exe
2556	takeown.exe
4528	icacls.exe
2920	icacls.exe
4928	icacls.exe
11540	takeown.exe
5308	takeown.exe
14672	icacls.exe
1256	icacls.exe
8472	takeown.exe
12968	icacls.exe
10048	icacls.exe
1396	icacls.exe
9164	takeown.exe
10256	takeown.exe
13096	takeown.exe
3512	takeown.exe
1440	icacls.exe
4044	takeown.exe
5292	takeown.exe
14064	takeown.exe
10996	icacls.exe
15912	icacls.exe
1188	icacls.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

H2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

18500 4344 WerFault.exe H2.exe

pid	pid_target	process	target process
18500	4344	WerFault.exe	H2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

H2.exe

pid	process
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe
3468	H2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

H2.exetakeown.exe

description pid process

Token: SeDebugPrivilege 3468 H2.exe
Token: SeDebugPrivilege 3468 H2.exe
Token: SeTakeOwnershipPrivilege 1392 takeown.exe

description	pid	process
Token: SeDebugPrivilege	3468	H2.exe
Token: SeDebugPrivilege	3468	H2.exe
Token: SeTakeOwnershipPrivilege	1392	takeown.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

H2 (2).exeH2.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 3468	5044	H2 (2).exe	H2.exe
PID 5044 wrote to memory of 3468	5044	H2 (2).exe	H2.exe
PID 5044 wrote to memory of 3468	5044	H2 (2).exe	H2.exe
PID 3468 wrote to memory of 4628	3468	H2.exe	cmd.exe
PID 3468 wrote to memory of 4628	3468	H2.exe	cmd.exe
PID 3468 wrote to memory of 4628	3468	H2.exe	cmd.exe
PID 4628 wrote to memory of 1392	4628	cmd.exe	takeown.exe
PID 4628 wrote to memory of 1392	4628	cmd.exe	takeown.exe
PID 4628 wrote to memory of 1392	4628	cmd.exe	takeown.exe
PID 4628 wrote to memory of 1104	4628	cmd.exe	icacls.exe
PID 4628 wrote to memory of 1104	4628	cmd.exe	icacls.exe
PID 4628 wrote to memory of 1104	4628	cmd.exe	icacls.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

H2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	H2.exe

C:\Users\Admin\AppData\Local\Temp\H2 (2).exe
"C:\Users\Admin\AppData\Local\Temp\H2 (2).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044

C:\H2.exe
"C:\H2.exe"
2⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
3⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1104

C:\$Recycle.Bin\G55V52B1O50X8YX7V77.exe
"C:\$Recycle.Bin\G55V52B1O50X8YX7V77.exe"
3⤵
PID:656

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:3560

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:8284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e4718
6⤵
PID:10380

C:\Documents and Settings\M60Y44H4V85S1UM2V48.exe
"C:\Documents and Settings\M60Y44H4V85S1UM2V48.exe"
3⤵
PID:2044

C:\H2.exe
"C:\H2.exe"
4⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:3804

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4756

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4528

C:\$Recycle.Bin\Q37M53N6N47T8RL5Z27.exe
"C:\$Recycle.Bin\Q37M53N6N47T8RL5Z27.exe"
5⤵
PID:2480

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:7024

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6372

C:\Documents and Settings\C16I23L0M22Y1OT5Y61.exe
"C:\Documents and Settings\C16I23L0M22Y1OT5Y61.exe"
5⤵
PID:3104

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:8168

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9164

C:\Program Files\B00I11M0Y04O3WI5U43.exe
"C:\Program Files\B00I11M0Y04O3WI5U43.exe"
7⤵
PID:8816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2268
7⤵
- Program crash
PID:18500

C:\PerfLogs\H48Y85U5G61D1BF8B35.exe
"C:\PerfLogs\H48Y85U5G61D1BF8B35.exe"
5⤵
PID:4372

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4072

C:\Program Files\I26T28W6X50A4KE5N34.exe
"C:\Program Files\I26T28W6X50A4KE5N34.exe"
5⤵
PID:5276

C:\H2.exe
"C:\H2.exe"
6⤵
PID:1632

C:\Program Files (x86)\V34F07U0J26Y3OY5N41.exe
"C:\Program Files (x86)\V34F07U0J26Y3OY5N41.exe"
5⤵
PID:6132

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9208

C:\ProgramData\K41Q48S2L51D4RE4W06.exe
"C:\ProgramData\K41Q48S2L51D4RE4W06.exe"
5⤵
PID:1992

C:\Users\J83W81D1R61G1CT6R45.exe
"C:\Users\J83W81D1R61G1CT6R45.exe"
5⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:7292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus.exe
5⤵
PID:17500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e4718
6⤵
PID:17768

C:\PerfLogs\T33Q86H1H06H0UZ2J83.exe
"C:\PerfLogs\T33Q86H1H06H0UZ2J83.exe"
3⤵
PID:3964

C:\H2.exe
"C:\H2.exe"
4⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:948

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3512

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1440

C:\$Recycle.Bin\F48Q81G5K78Q8SW8T61.exe
"C:\$Recycle.Bin\F48Q81G5K78Q8SW8T61.exe"
5⤵
PID:4236

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5004

C:\Documents and Settings\E85P31M0M05L4DP6Z07.exe
"C:\Documents and Settings\E85P31M0M05L4DP6Z07.exe"
5⤵
PID:4040

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:5308

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4424

C:\Program Files\S06A60L2Z12F7NK4F35.exe
"C:\Program Files\S06A60L2Z12F7NK4F35.exe"
7⤵
PID:18380

C:\PerfLogs\E05H05K8C00E3LH4H20.exe
"C:\PerfLogs\E05H05K8C00E3LH4H20.exe"
5⤵
PID:1108

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5852

C:\Documents and Settings\W71C26S6W42S0XK2K54.exe
"C:\Documents and Settings\W71C26S6W42S0XK2K54.exe"
7⤵
PID:8072

C:\Program Files\L17O44D8V85X0TF0A56.exe
"C:\Program Files\L17O44D8V85X0TF0A56.exe"
7⤵
PID:8460

C:\Program Files\U10N63T0Y26E4XT5I86.exe
"C:\Program Files\U10N63T0Y26E4XT5I86.exe"
5⤵
PID:2188

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6648

C:\PerfLogs\S70R70U8Y01X7TA0K76.exe
"C:\PerfLogs\S70R70U8Y01X7TA0K76.exe"
7⤵
PID:11836

C:\Program Files\T85R47X0T07Y7CO3H10.exe
"C:\Program Files\T85R47X0T07Y7CO3H10.exe"
7⤵
PID:16936

C:\Program Files (x86)\D42G35Q4D16Z8WA1N46.exe
"C:\Program Files (x86)\D42G35Q4D16Z8WA1N46.exe"
5⤵
PID:4384

C:\ProgramData\S58R76O5F41E0YG0W02.exe
"C:\ProgramData\S58R76O5F41E0YG0W02.exe"
5⤵
PID:5800

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:7220

C:\Recovery\D26P04T5L22H2YC4J26.exe
"C:\Recovery\D26P04T5L22H2YC4J26.exe"
5⤵
PID:1912

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2376

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
5⤵
PID:6884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus.exe
5⤵
PID:8352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:6744

C:\Program Files\B07H30H8T17W0VM3Y46.exe
"C:\Program Files\B07H30H8T17W0VM3Y46.exe"
3⤵
PID:4156

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:536

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2556

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4344

C:\$Recycle.Bin\Z60H74R6A53M2RF5R58.exe
"C:\$Recycle.Bin\Z60H74R6A53M2RF5R58.exe"
5⤵
PID:4692

C:\Documents and Settings\H31K03L7V74O2KI8B03.exe
"C:\Documents and Settings\H31K03L7V74O2KI8B03.exe"
5⤵
PID:2828

C:\PerfLogs\N33J20T2T08F7NX8O52.exe
"C:\PerfLogs\N33J20T2T08F7NX8O52.exe"
5⤵
PID:5288

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8876

C:\Program Files\O61T40Q8Z06S5DG4D05.exe
"C:\Program Files\O61T40Q8Z06S5DG4D05.exe"
5⤵
PID:5136

C:\Program Files (x86)\S14I81T8X52S4SR5K50.exe
"C:\Program Files (x86)\S14I81T8X52S4SR5K50.exe"
5⤵
PID:1916

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:12992

C:\Recovery\S02L45J2U66W7LN3U74.exe
"C:\Recovery\S02L45J2U66W7LN3U74.exe"
5⤵
PID:7292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help
5⤵
PID:11276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus.exe
5⤵
PID:9740

C:\Program Files (x86)\Y01V74Z2S43B7GB4O55.exe
"C:\Program Files (x86)\Y01V74Z2S43B7GB4O55.exe"
3⤵
PID:1624

C:\H2.exe
"C:\H2.exe"
4⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:2292

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4344

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:960

C:\$Recycle.Bin\R47K14G0F41V8PX2L56.exe
"C:\$Recycle.Bin\R47K14G0F41V8PX2L56.exe"
5⤵
PID:3732

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6040

C:\Documents and Settings\Y26X78V0R64B6LQ0E06.exe
"C:\Documents and Settings\Y26X78V0R64B6LQ0E06.exe"
5⤵
PID:4052

C:\H2.exe
"C:\H2.exe"
6⤵
PID:7032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:9592

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8472

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7444

C:\$Recycle.Bin\L60B87N5K62M3HU2Q06.exe
"C:\$Recycle.Bin\L60B87N5K62M3HU2Q06.exe"
7⤵
PID:17080

C:\PerfLogs\O23O15O7V88O8DS7T60.exe
"C:\PerfLogs\O23O15O7V88O8DS7T60.exe"
5⤵
PID:5144

C:\Program Files\B81L07S5S46X3ZB0O33.exe
"C:\Program Files\B81L07S5S46X3ZB0O33.exe"
5⤵
PID:5884

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9012

C:\Program Files (x86)\F83L51B1Z04I6FC2R33.exe
"C:\Program Files (x86)\F83L51B1Z04I6FC2R33.exe"
5⤵
PID:4236

C:\Recovery\E14K25H6Z30E4AQ0B52.exe
"C:\Recovery\E14K25H6Z30E4AQ0B52.exe"
5⤵
PID:7196

C:\Windows\A71X61R5Z83E5FS7A53.exe
"C:\Windows\A71X61R5Z83E5FS7A53.exe"
5⤵
PID:9116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected
5⤵
PID:11856

C:\ProgramData\L30I45G3I03Y4MB2U75.exe
"C:\ProgramData\L30I45G3I03Y4MB2U75.exe"
3⤵
PID:5052

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:4964

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3544

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4928

C:\$Recycle.Bin\E62E78T5A04Z6VT4G88.exe
"C:\$Recycle.Bin\E62E78T5A04Z6VT4G88.exe"
5⤵
PID:5980

C:\Documents and Settings\X60I05V0D02I2NZ0H34.exe
"C:\Documents and Settings\X60I05V0D02I2NZ0H34.exe"
5⤵
PID:5736

C:\Program Files (x86)\I88X08N0T73F0NU3B58.exe
"C:\Program Files (x86)\I88X08N0T73F0NU3B58.exe"
5⤵
PID:7664

C:\ProgramData\Q00U76O7J01Y5OV1A37.exe
"C:\ProgramData\Q00U76O7J01Y5OV1A37.exe"
5⤵
PID:7708

C:\Users\O30O55A6H36M2TO8E57.exe
"C:\Users\O30O55A6H36M2TO8E57.exe"
5⤵
PID:6912

C:\Windows\N61O20H2G63I0OB6O75.exe
"C:\Windows\N61O20H2G63I0OB6O75.exe"
5⤵
PID:6824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:13528

C:\Recovery\M88Q10F2L88L0CE0D51.exe
"C:\Recovery\M88Q10F2L88L0CE0D51.exe"
3⤵
PID:3004

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:552

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3484

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4388

C:\$Recycle.Bin\M31U13J4K03Q6LF8K38.exe
"C:\$Recycle.Bin\M31U13J4K03Q6LF8K38.exe"
5⤵
PID:3044

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5748

C:\Documents and Settings\L06F22S3Z24V8PV4T78.exe
"C:\Documents and Settings\L06F22S3Z24V8PV4T78.exe"
5⤵
PID:1256

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:8584

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13096

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14672

C:\$Recycle.Bin\M25A86G0Y65O0JP6M28.exe
"C:\$Recycle.Bin\M25A86G0Y65O0JP6M28.exe"
7⤵
PID:17968

C:\PerfLogs\P82X70N6Y74A4TU5B55.exe
"C:\PerfLogs\P82X70N6Y74A4TU5B55.exe"
5⤵
PID:5380

C:\Program Files\Q77E73S0D77I5TQ1Q66.exe
"C:\Program Files\Q77E73S0D77I5TQ1Q66.exe"
5⤵
PID:6124

C:\Program Files (x86)\P64T31Z5R75X6MU8X57.exe
"C:\Program Files (x86)\P64T31Z5R75X6MU8X57.exe"
5⤵
PID:2920

C:\Users\Z58K11F6T00O5FI4E77.exe
"C:\Users\Z58K11F6T00O5FI4E77.exe"
5⤵
PID:7516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help
5⤵
PID:10936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e4718
6⤵
PID:11140

C:\Users\M40G06A7B87A4KO7H05.exe
"C:\Users\M40G06A7B87A4KO7H05.exe"
3⤵
PID:212

C:\H2.exe
"C:\H2.exe"
4⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:3420

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4044

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1256

C:\$Recycle.Bin\B53H62R5O40T6ZN3E07.exe
"C:\$Recycle.Bin\B53H62R5O40T6ZN3E07.exe"
5⤵
PID:5232

C:\Program Files\N85V45M6Z27R4IV0U55.exe
"C:\Program Files\N85V45M6Z27R4IV0U55.exe"
5⤵
PID:7300

C:\Program Files (x86)\Y05J40L1V17J1PB2K14.exe
"C:\Program Files (x86)\Y05J40L1V17J1PB2K14.exe"
5⤵
PID:332

C:\Windows\J80L41K7T22W6OV2P04.exe
"C:\Windows\J80L41K7T22W6OV2P04.exe"
3⤵
PID:2844

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:1452

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2480

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2920

C:\$Recycle.Bin\W04T40X2S86S7VC8H56.exe
"C:\$Recycle.Bin\W04T40X2S86S7VC8H56.exe"
5⤵
PID:6400

C:\Documents and Settings\C40C82F6B47R8BA8W33.exe
"C:\Documents and Settings\C40C82F6B47R8BA8W33.exe"
5⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:18208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=system%20to%20user%20exploit%20bypass%20undetect%202027%20method%20free%20fud
3⤵
PID:8848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate
3⤵
PID:6980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e4718
4⤵
PID:5776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x51c
1⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e4718
1⤵
PID:7544

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
1⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
1⤵
PID:7596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
1⤵
PID:9760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
1⤵
PID:8272

C:\H2.exe
"C:\H2.exe"
1⤵
PID:7592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
2⤵
PID:12740

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6576

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:12096

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:7072

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15124

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:8460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:4648

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5292

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1188

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13296

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11540

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10572

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:13452

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:13948

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e4718
1⤵
PID:12612

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14940

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14064

C:\H2.exe
"C:\H2.exe"
1⤵
PID:14164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
2⤵
PID:16136

C:\H2.exe
"C:\H2.exe"
1⤵
PID:10312

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12968

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
1⤵
PID:5032

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7256

C:\H2.exe
"C:\H2.exe"
1⤵
PID:6752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e4718
1⤵
PID:7620

C:\$Recycle.Bin\X34E76M1V35X4NR5E37.exe
"C:\$Recycle.Bin\X34E76M1V35X4NR5E37.exe"
1⤵
PID:15508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
1⤵
PID:15740

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:16356

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:12388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:10332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:15072

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:12628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:13804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:15668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:15676

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:7460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:13272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:8540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:12428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:5844

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:15948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:15640

C:\Documents and Settings\A64K18G5H11M5NB0F67.exe
"C:\Documents and Settings\A64K18G5H11M5NB0F67.exe"
1⤵
PID:9316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 8108 -ip 8108
1⤵
PID:17744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6648 -ip 6648
1⤵
PID:17980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5748 -ip 5748
1⤵
PID:18064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6620 -ip 6620
1⤵
PID:11828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4628 -ip 4628
1⤵
PID:18164

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\H2.exe
Filesize
22KB

MD5
b014736055c3a7cf6af257dd7f84af7d

SHA1
d2ac0fb6482c2551a72fac685312c007e3e294d7

SHA256
d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86

SHA512
c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\L30I45G3I03Y4MB2U75.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d91a23877c0348e66c6119048df66677

SHA1
685a8fef8bc81f674eaa26666d6dc921d5ba3e4e

SHA256
802fd8e7578ec821e2e2deba190cfedd5ce7001361625ec0a16cd92b20dbdc33

SHA512
47cbe1c43125707cd609bc3342ff0f05196c018d47837373bbc63dbdc650741867ffd4c4548b0e9d20bf2fd430a5b370bcb81356784985a3ba1612fcc7421a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
204B

MD5
3c0268b80d0c79dc9ea6dfab6b194f8f

SHA1
f45df87c4bee0fee1f35dc03bd8700d13c89bffe

SHA256
e42cf4e7d2ff62fb8de19acb4ac327af502f3b8ed09ff3df931ef8f6e095483c

SHA512
a7aa124375ffe9bfe5b3f4569d17a586e537e1df189e122af4ee3c30ee2a822fa498f895e38c80204d032410eddf4e398ae23277ccdcf96f6a0a1498268436e3

Download Submit
memory/3468-13-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/3468-25-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/5044-0-0x000000007530E000-0x000000007530F000-memory.dmp

Filesize
4KB

Download
memory/5044-1-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads