Analysis
-
max time kernel
116s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
H2 (2).exe
Resource
win7-20240220-en
Errors
General
-
Target
H2 (2).exe
-
Size
22KB
-
MD5
b014736055c3a7cf6af257dd7f84af7d
-
SHA1
d2ac0fb6482c2551a72fac685312c007e3e294d7
-
SHA256
d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86
-
SHA512
c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27
-
SSDEEP
384:Pl5PmikkxZNVUwSymwfixj1VUVIx2b4KJBy/V+wTMUufgqflVW9s:PlxkkDmp9UbdvQMSAlU9
Malware Config
Signatures
-
Processes:
H2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
H2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe -
Possible privilege escalation attempt 51 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 3484 takeown.exe 9368 takeown.exe 6576 takeown.exe 4600 takeown.exe 4528 icacls.exe 960 icacls.exe 1440 icacls.exe 10572 takeown.exe 5308 takeown.exe 14476 takeown.exe 1188 icacls.exe 1396 icacls.exe 4344 takeown.exe 6372 takeown.exe 10256 takeown.exe 8472 takeown.exe 9164 takeown.exe 13656 takeown.exe 14672 icacls.exe 12968 icacls.exe 8904 icacls.exe 3512 takeown.exe 4928 icacls.exe 14940 takeown.exe 7536 icacls.exe 4344 icacls.exe 3544 takeown.exe 7444 icacls.exe 10048 icacls.exe 15912 icacls.exe 14064 takeown.exe 1148 icacls.exe 4388 icacls.exe 4044 takeown.exe 10996 icacls.exe 1104 icacls.exe 2920 icacls.exe 4756 takeown.exe 13096 takeown.exe 13296 takeown.exe 5292 takeown.exe 13560 icacls.exe 6104 icacls.exe 1392 takeown.exe 2556 takeown.exe 4424 takeown.exe 15124 takeown.exe 2480 takeown.exe 11540 takeown.exe 1256 icacls.exe 7256 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
H2 (2).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation H2 (2).exe -
Executes dropped EXE 1 IoCs
Processes:
H2.exepid process 3468 H2.exe -
Modifies file permissions 1 TTPs 51 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 3544 takeown.exe 7256 icacls.exe 13656 takeown.exe 3484 takeown.exe 4424 takeown.exe 13560 icacls.exe 7444 icacls.exe 1392 takeown.exe 4344 takeown.exe 4344 icacls.exe 1104 icacls.exe 6372 takeown.exe 14476 takeown.exe 2480 takeown.exe 13296 takeown.exe 14940 takeown.exe 15124 takeown.exe 6576 takeown.exe 6104 icacls.exe 4756 takeown.exe 960 icacls.exe 8904 icacls.exe 1148 icacls.exe 4388 icacls.exe 9368 takeown.exe 10572 takeown.exe 7536 icacls.exe 4600 takeown.exe 2556 takeown.exe 4528 icacls.exe 2920 icacls.exe 4928 icacls.exe 11540 takeown.exe 5308 takeown.exe 14672 icacls.exe 1256 icacls.exe 8472 takeown.exe 12968 icacls.exe 10048 icacls.exe 1396 icacls.exe 9164 takeown.exe 10256 takeown.exe 13096 takeown.exe 3512 takeown.exe 1440 icacls.exe 4044 takeown.exe 5292 takeown.exe 14064 takeown.exe 10996 icacls.exe 15912 icacls.exe 1188 icacls.exe -
Processes:
H2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 18500 4344 WerFault.exe H2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
H2.exepid process 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe 3468 H2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
H2.exetakeown.exedescription pid process Token: SeDebugPrivilege 3468 H2.exe Token: SeDebugPrivilege 3468 H2.exe Token: SeTakeOwnershipPrivilege 1392 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
H2 (2).exeH2.execmd.exedescription pid process target process PID 5044 wrote to memory of 3468 5044 H2 (2).exe H2.exe PID 5044 wrote to memory of 3468 5044 H2 (2).exe H2.exe PID 5044 wrote to memory of 3468 5044 H2 (2).exe H2.exe PID 3468 wrote to memory of 4628 3468 H2.exe cmd.exe PID 3468 wrote to memory of 4628 3468 H2.exe cmd.exe PID 3468 wrote to memory of 4628 3468 H2.exe cmd.exe PID 4628 wrote to memory of 1392 4628 cmd.exe takeown.exe PID 4628 wrote to memory of 1392 4628 cmd.exe takeown.exe PID 4628 wrote to memory of 1392 4628 cmd.exe takeown.exe PID 4628 wrote to memory of 1104 4628 cmd.exe icacls.exe PID 4628 wrote to memory of 1104 4628 cmd.exe icacls.exe PID 4628 wrote to memory of 1104 4628 cmd.exe icacls.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
H2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" H2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\H2 (2).exe"C:\Users\Admin\AppData\Local\Temp\H2 (2).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\H2.exe"C:\H2.exe"2⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System324⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\G55V52B1O50X8YX7V77.exe"C:\$Recycle.Bin\G55V52B1O50X8YX7V77.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e47186⤵
-
C:\Documents and Settings\M60Y44H4V85S1UM2V48.exe"C:\Documents and Settings\M60Y44H4V85S1UM2V48.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\Q37M53N6N47T8RL5Z27.exe"C:\$Recycle.Bin\Q37M53N6N47T8RL5Z27.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Documents and Settings\C16I23L0M22Y1OT5Y61.exe"C:\Documents and Settings\C16I23L0M22Y1OT5Y61.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\B00I11M0Y04O3WI5U43.exe"C:\Program Files\B00I11M0Y04O3WI5U43.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 22687⤵
- Program crash
-
C:\PerfLogs\H48Y85U5G61D1BF8B35.exe"C:\PerfLogs\H48Y85U5G61D1BF8B35.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\I26T28W6X50A4KE5N34.exe"C:\Program Files\I26T28W6X50A4KE5N34.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files (x86)\V34F07U0J26Y3OY5N41.exe"C:\Program Files (x86)\V34F07U0J26Y3OY5N41.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\ProgramData\K41Q48S2L51D4RE4W06.exe"C:\ProgramData\K41Q48S2L51D4RE4W06.exe"5⤵
-
C:\Users\J83W81D1R61G1CT6R45.exe"C:\Users\J83W81D1R61G1CT6R45.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus.exe5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e47186⤵
-
C:\PerfLogs\T33Q86H1H06H0UZ2J83.exe"C:\PerfLogs\T33Q86H1H06H0UZ2J83.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\F48Q81G5K78Q8SW8T61.exe"C:\$Recycle.Bin\F48Q81G5K78Q8SW8T61.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Documents and Settings\E85P31M0M05L4DP6Z07.exe"C:\Documents and Settings\E85P31M0M05L4DP6Z07.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\S06A60L2Z12F7NK4F35.exe"C:\Program Files\S06A60L2Z12F7NK4F35.exe"7⤵
-
C:\PerfLogs\E05H05K8C00E3LH4H20.exe"C:\PerfLogs\E05H05K8C00E3LH4H20.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Documents and Settings\W71C26S6W42S0XK2K54.exe"C:\Documents and Settings\W71C26S6W42S0XK2K54.exe"7⤵
-
C:\Program Files\L17O44D8V85X0TF0A56.exe"C:\Program Files\L17O44D8V85X0TF0A56.exe"7⤵
-
C:\Program Files\U10N63T0Y26E4XT5I86.exe"C:\Program Files\U10N63T0Y26E4XT5I86.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\PerfLogs\S70R70U8Y01X7TA0K76.exe"C:\PerfLogs\S70R70U8Y01X7TA0K76.exe"7⤵
-
C:\Program Files\T85R47X0T07Y7CO3H10.exe"C:\Program Files\T85R47X0T07Y7CO3H10.exe"7⤵
-
C:\Program Files (x86)\D42G35Q4D16Z8WA1N46.exe"C:\Program Files (x86)\D42G35Q4D16Z8WA1N46.exe"5⤵
-
C:\ProgramData\S58R76O5F41E0YG0W02.exe"C:\ProgramData\S58R76O5F41E0YG0W02.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Recovery\D26P04T5L22H2YC4J26.exe"C:\Recovery\D26P04T5L22H2YC4J26.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus.exe5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files\B07H30H8T17W0VM3Y46.exe"C:\Program Files\B07H30H8T17W0VM3Y46.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\Z60H74R6A53M2RF5R58.exe"C:\$Recycle.Bin\Z60H74R6A53M2RF5R58.exe"5⤵
-
C:\Documents and Settings\H31K03L7V74O2KI8B03.exe"C:\Documents and Settings\H31K03L7V74O2KI8B03.exe"5⤵
-
C:\PerfLogs\N33J20T2T08F7NX8O52.exe"C:\PerfLogs\N33J20T2T08F7NX8O52.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\O61T40Q8Z06S5DG4D05.exe"C:\Program Files\O61T40Q8Z06S5DG4D05.exe"5⤵
-
C:\Program Files (x86)\S14I81T8X52S4SR5K50.exe"C:\Program Files (x86)\S14I81T8X52S4SR5K50.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Recovery\S02L45J2U66W7LN3U74.exe"C:\Recovery\S02L45J2U66W7LN3U74.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus.exe5⤵
-
C:\Program Files (x86)\Y01V74Z2S43B7GB4O55.exe"C:\Program Files (x86)\Y01V74Z2S43B7GB4O55.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\R47K14G0F41V8PX2L56.exe"C:\$Recycle.Bin\R47K14G0F41V8PX2L56.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Documents and Settings\Y26X78V0R64B6LQ0E06.exe"C:\Documents and Settings\Y26X78V0R64B6LQ0E06.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\L60B87N5K62M3HU2Q06.exe"C:\$Recycle.Bin\L60B87N5K62M3HU2Q06.exe"7⤵
-
C:\PerfLogs\O23O15O7V88O8DS7T60.exe"C:\PerfLogs\O23O15O7V88O8DS7T60.exe"5⤵
-
C:\Program Files\B81L07S5S46X3ZB0O33.exe"C:\Program Files\B81L07S5S46X3ZB0O33.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files (x86)\F83L51B1Z04I6FC2R33.exe"C:\Program Files (x86)\F83L51B1Z04I6FC2R33.exe"5⤵
-
C:\Recovery\E14K25H6Z30E4AQ0B52.exe"C:\Recovery\E14K25H6Z30E4AQ0B52.exe"5⤵
-
C:\Windows\A71X61R5Z83E5FS7A53.exe"C:\Windows\A71X61R5Z83E5FS7A53.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected5⤵
-
C:\ProgramData\L30I45G3I03Y4MB2U75.exe"C:\ProgramData\L30I45G3I03Y4MB2U75.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\E62E78T5A04Z6VT4G88.exe"C:\$Recycle.Bin\E62E78T5A04Z6VT4G88.exe"5⤵
-
C:\Documents and Settings\X60I05V0D02I2NZ0H34.exe"C:\Documents and Settings\X60I05V0D02I2NZ0H34.exe"5⤵
-
C:\Program Files (x86)\I88X08N0T73F0NU3B58.exe"C:\Program Files (x86)\I88X08N0T73F0NU3B58.exe"5⤵
-
C:\ProgramData\Q00U76O7J01Y5OV1A37.exe"C:\ProgramData\Q00U76O7J01Y5OV1A37.exe"5⤵
-
C:\Users\O30O55A6H36M2TO8E57.exe"C:\Users\O30O55A6H36M2TO8E57.exe"5⤵
-
C:\Windows\N61O20H2G63I0OB6O75.exe"C:\Windows\N61O20H2G63I0OB6O75.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Recovery\M88Q10F2L88L0CE0D51.exe"C:\Recovery\M88Q10F2L88L0CE0D51.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\M31U13J4K03Q6LF8K38.exe"C:\$Recycle.Bin\M31U13J4K03Q6LF8K38.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Documents and Settings\L06F22S3Z24V8PV4T78.exe"C:\Documents and Settings\L06F22S3Z24V8PV4T78.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\M25A86G0Y65O0JP6M28.exe"C:\$Recycle.Bin\M25A86G0Y65O0JP6M28.exe"7⤵
-
C:\PerfLogs\P82X70N6Y74A4TU5B55.exe"C:\PerfLogs\P82X70N6Y74A4TU5B55.exe"5⤵
-
C:\Program Files\Q77E73S0D77I5TQ1Q66.exe"C:\Program Files\Q77E73S0D77I5TQ1Q66.exe"5⤵
-
C:\Program Files (x86)\P64T31Z5R75X6MU8X57.exe"C:\Program Files (x86)\P64T31Z5R75X6MU8X57.exe"5⤵
-
C:\Users\Z58K11F6T00O5FI4E77.exe"C:\Users\Z58K11F6T00O5FI4E77.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e47186⤵
-
C:\Users\M40G06A7B87A4KO7H05.exe"C:\Users\M40G06A7B87A4KO7H05.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\B53H62R5O40T6ZN3E07.exe"C:\$Recycle.Bin\B53H62R5O40T6ZN3E07.exe"5⤵
-
C:\Program Files\N85V45M6Z27R4IV0U55.exe"C:\Program Files\N85V45M6Z27R4IV0U55.exe"5⤵
-
C:\Program Files (x86)\Y05J40L1V17J1PB2K14.exe"C:\Program Files (x86)\Y05J40L1V17J1PB2K14.exe"5⤵
-
C:\Windows\J80L41K7T22W6OV2P04.exe"C:\Windows\J80L41K7T22W6OV2P04.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\W04T40X2S86S7VC8H56.exe"C:\$Recycle.Bin\W04T40X2S86S7VC8H56.exe"5⤵
-
C:\Documents and Settings\C40C82F6B47R8BA8W33.exe"C:\Documents and Settings\C40C82F6B47R8BA8W33.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=system%20to%20user%20exploit%20bypass%20undetect%202027%20method%20free%20fud3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e47184⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x520 0x51c1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e47181⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:31⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:11⤵
-
C:\H2.exe"C:\H2.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e47181⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\H2.exe"C:\H2.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"2⤵
-
C:\H2.exe"C:\H2.exe"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:11⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\H2.exe"C:\H2.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfc8e46f8,0x7ffbfc8e4708,0x7ffbfc8e47181⤵
-
C:\$Recycle.Bin\X34E76M1V35X4NR5E37.exe"C:\$Recycle.Bin\X34E76M1V35X4NR5E37.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3049057496391170466,9533232448114646982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:11⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Documents and Settings\A64K18G5H11M5NB0F67.exe"C:\Documents and Settings\A64K18G5H11M5NB0F67.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 8108 -ip 81081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6648 -ip 66481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5748 -ip 57481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6620 -ip 66201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4628 -ip 46281⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\H2.exeFilesize
22KB
MD5b014736055c3a7cf6af257dd7f84af7d
SHA1d2ac0fb6482c2551a72fac685312c007e3e294d7
SHA256d4d5d15a80019ad35455718f42d67ee828aa3a9fe7ed6433fb540d0182432c86
SHA512c7401a8dc2c977628f145ff47c162a202709d24ed921ffd4448eb5d97adaaaf8c20244d85649a3dbc17721399b6988b35c4eb6c7b57d17f8492035a93176cb27
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\L30I45G3I03Y4MB2U75.exe.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d91a23877c0348e66c6119048df66677
SHA1685a8fef8bc81f674eaa26666d6dc921d5ba3e4e
SHA256802fd8e7578ec821e2e2deba190cfedd5ce7001361625ec0a16cd92b20dbdc33
SHA51247cbe1c43125707cd609bc3342ff0f05196c018d47837373bbc63dbdc650741867ffd4c4548b0e9d20bf2fd430a5b370bcb81356784985a3ba1612fcc7421a67
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
204B
MD53c0268b80d0c79dc9ea6dfab6b194f8f
SHA1f45df87c4bee0fee1f35dc03bd8700d13c89bffe
SHA256e42cf4e7d2ff62fb8de19acb4ac327af502f3b8ed09ff3df931ef8f6e095483c
SHA512a7aa124375ffe9bfe5b3f4569d17a586e537e1df189e122af4ee3c30ee2a822fa498f895e38c80204d032410eddf4e398ae23277ccdcf96f6a0a1498268436e3
-
memory/3468-13-0x0000000075300000-0x0000000075AB0000-memory.dmpFilesize
7.7MB
-
memory/3468-25-0x0000000075300000-0x0000000075AB0000-memory.dmpFilesize
7.7MB
-
memory/5044-0-0x000000007530E000-0x000000007530F000-memory.dmpFilesize
4KB
-
memory/5044-1-0x0000000000B80000-0x0000000000B8C000-memory.dmpFilesize
48KB