900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea

General

Target

H2.exe
Size

22KB
MD5

669902e0baf0307086c9d347c66152a8
SHA1

96a5cc7d488c2273ae58a3ef22bc468d61684132
SHA256

900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea
SHA512

06f6538048379ce7c861671592b6d04989c4b3400b4875cc50b889404a731e3602aa64a78be654a1b151ae3e39419d21f6877b8eb6c6dfc214a653ef276d227f
SSDEEP

384:Ql5PmFkkRZNVbwpumK3pms4eZXsKjX5msMU80UVIx2bOKJSyol+wTMUufNpJDlVX:QlekkLmKPXsK06UbTQVM/nlQ9

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

H2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

H2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe

Possible privilege escalation attempt 30 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
2428	takeown.exe
316	takeown.exe
7928	icacls.exe
2720	icacls.exe
3056	icacls.exe
3008	takeown.exe
2740	icacls.exe
7756	takeown.exe
2168	icacls.exe
1696	takeown.exe
2568	icacls.exe
4628	takeown.exe
2504	icacls.exe
2784	takeown.exe
2296	takeown.exe
5444	icacls.exe
2672	icacls.exe
5624	takeown.exe
848	icacls.exe
2748	takeown.exe
3312	takeown.exe
828	icacls.exe
1644	icacls.exe
1604	icacls.exe
1696	icacls.exe
2668	takeown.exe
2560	takeown.exe
756	takeown.exe
2324	takeown.exe
3524	icacls.exe

Executes dropped EXE 1 IoCs

Processes:

H2.exe

pid process

1968 H2.exe

pid	process
1968	H2.exe

Modifies file permissions 1 TTPs 30 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
7928	icacls.exe
3056	icacls.exe
828	icacls.exe
2568	icacls.exe
4628	takeown.exe
2740	icacls.exe
2784	takeown.exe
1644	icacls.exe
2668	takeown.exe
1604	icacls.exe
2168	icacls.exe
1696	icacls.exe
2672	icacls.exe
2748	takeown.exe
7756	takeown.exe
5624	takeown.exe
2504	icacls.exe
2428	takeown.exe
756	takeown.exe
2296	takeown.exe
3524	icacls.exe
5444	icacls.exe
2560	takeown.exe
848	icacls.exe
3008	takeown.exe
1696	takeown.exe
3312	takeown.exe
2720	icacls.exe
2324	takeown.exe
316	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

H2.exeH2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\H2.exe"	H2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\H2.exe"	H2.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

H2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1596	2636	WerFault.exe	X78Z42S0S27U2SV0K82.exe
2760	2504	WerFault.exe	icacls.exe
1644	1988	WerFault.exe
1912	2864	WerFault.exe
816	2272	WerFault.exe	L68F35J6S61Q5VN0L83.exe
1920	2216	WerFault.exe
2412	2952	WerFault.exe	R58N47J1B10R3VW5K64.exe
3056	1308	WerFault.exe
408	3264	WerFault.exe	T05P43C3K85X0GV4G36.exe
8168	3636	WerFault.exe	D58A18B4M70N2PY0D33.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

H2.exeH2.exetakeown.exe

description pid process

Token: SeDebugPrivilege 2020 H2.exe
Token: SeDebugPrivilege 1968 H2.exe
Token: SeDebugPrivilege 1968 H2.exe
Token: SeTakeOwnershipPrivilege 2668 takeown.exe

description	pid	process
Token: SeDebugPrivilege	2020	H2.exe
Token: SeDebugPrivilege	1968	H2.exe
Token: SeDebugPrivilege	1968	H2.exe
Token: SeTakeOwnershipPrivilege	2668	takeown.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

H2.exeH2.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1968	2020	H2.exe	H2.exe
PID 2020 wrote to memory of 1968	2020	H2.exe	H2.exe
PID 2020 wrote to memory of 1968	2020	H2.exe	H2.exe
PID 2020 wrote to memory of 1968	2020	H2.exe	H2.exe
PID 1968 wrote to memory of 2384	1968	H2.exe	cmd.exe
PID 1968 wrote to memory of 2384	1968	H2.exe	cmd.exe
PID 1968 wrote to memory of 2384	1968	H2.exe	cmd.exe
PID 1968 wrote to memory of 2384	1968	H2.exe	cmd.exe
PID 2384 wrote to memory of 2668	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 2668	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 2668	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 2668	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 2720	2384	cmd.exe	icacls.exe
PID 2384 wrote to memory of 2720	2384	cmd.exe	icacls.exe
PID 2384 wrote to memory of 2720	2384	cmd.exe	icacls.exe
PID 2384 wrote to memory of 2720	2384	cmd.exe	icacls.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

H2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe

C:\Users\Admin\AppData\Local\Temp\H2.exe
"C:\Users\Admin\AppData\Local\Temp\H2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\H2.exe
"C:\H2.exe"
2⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
3⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720

C:\$Recycle.Bin\X78Z42S0S27U2SV0K82.exe
"C:\$Recycle.Bin\X78Z42S0S27U2SV0K82.exe"
3⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 560
4⤵
- Program crash
PID:1596

C:\Documents and Settings\U20L83Y6N42Y5MY3W88.exe
"C:\Documents and Settings\U20L83Y6N42Y5MY3W88.exe"
3⤵
PID:2544

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:2620

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2560

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2504

C:\$Recycle.Bin\L68F35J6S61Q5VN0L83.exe
"C:\$Recycle.Bin\L68F35J6S61Q5VN0L83.exe"
5⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 560
6⤵
- Program crash
PID:816

C:\Documents and Settings\D17S66Y0L67F5KU6F28.exe
"C:\Documents and Settings\D17S66Y0L67F5KU6F28.exe"
5⤵
PID:1612

C:\H2.exe
"C:\H2.exe"
6⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2044

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:316

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2568

C:\$Recycle.Bin\J28W26P7N78B6EN5Y06.exe
"C:\$Recycle.Bin\J28W26P7N78B6EN5Y06.exe"
7⤵
PID:3140

C:\Documents and Settings\P47H16E5R32E2SF7N03.exe
"C:\Documents and Settings\P47H16E5R32E2SF7N03.exe"
7⤵
PID:3240

C:\H2.exe
"C:\H2.exe"
8⤵
PID:4392

C:\MSOCache\K33F64X1R73J3RU4I57.exe
"C:\MSOCache\K33F64X1R73J3RU4I57.exe"
7⤵
PID:5188

C:\PerfLogs\D80C04I0D25J7DN7B77.exe
"C:\PerfLogs\D80C04I0D25J7DN7B77.exe"
7⤵
PID:5816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus
7⤵
PID:6132

C:\Program Files\S27A41B2R81Y0TV3U64.exe
"C:\Program Files\S27A41B2R81Y0TV3U64.exe"
7⤵
PID:5536

C:\H2.exe
"C:\H2.exe"
8⤵
PID:8312

C:\Program Files (x86)\L48E82X8U50G0ZR1R47.exe
"C:\Program Files (x86)\L48E82X8U50G0ZR1R47.exe"
7⤵
PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=mcafee%20vs%20norton%202024%20free
7⤵
PID:1876

C:\ProgramData\B05Z70K4A20X2NL2X54.exe
"C:\ProgramData\B05Z70K4A20X2NL2X54.exe"
7⤵
PID:5884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20remove%20virus
7⤵
PID:6096

C:\Recovery\Y01S08R8F63G0OV0W52.exe
"C:\Recovery\Y01S08R8F63G0OV0W52.exe"
7⤵
PID:6192

C:\Users\L41B31V7K70D1ME3T86.exe
"C:\Users\L41B31V7K70D1ME3T86.exe"
7⤵
PID:7032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method
7⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:6744

C:\Windows\F08Q60Z5P23Y7IN0X30.exe
"C:\Windows\F08Q60Z5P23Y7IN0X30.exe"
7⤵
PID:7484

C:\MSOCache\M78D86C0L55S5TZ6Y23.exe
"C:\MSOCache\M78D86C0L55S5TZ6Y23.exe"
5⤵
PID:2384

C:\H2.exe
"C:\H2.exe"
6⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:2676

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2748

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1696

C:\$Recycle.Bin\D58A18B4M70N2PY0D33.exe
"C:\$Recycle.Bin\D58A18B4M70N2PY0D33.exe"
7⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 560
8⤵
- Program crash
PID:8168

C:\Documents and Settings\X38F44K6B30X6HS4Y50.exe
"C:\Documents and Settings\X38F44K6B30X6HS4Y50.exe"
7⤵
PID:4536

C:\H2.exe
"C:\H2.exe"
8⤵
PID:6960

C:\MSOCache\D37Q78P5X05X1IP7V83.exe
"C:\MSOCache\D37Q78P5X05X1IP7V83.exe"
7⤵
PID:5872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected
7⤵
PID:4164

C:\PerfLogs\S08A41M2L01X3GX1H03.exe
"C:\PerfLogs\S08A41M2L01X3GX1H03.exe"
7⤵
PID:3500

C:\Program Files\N40G56H3I02P8GP8G48.exe
"C:\Program Files\N40G56H3I02P8GP8G48.exe"
7⤵
PID:6560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites
7⤵
PID:6820

C:\Program Files (x86)\S78Y13X7X62T0MS4M02.exe
"C:\Program Files (x86)\S78Y13X7X62T0MS4M02.exe"
7⤵
PID:6608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
7⤵
PID:4940

C:\ProgramData\L01I27E1I85H5QL0M80.exe
"C:\ProgramData\L01I27E1I85H5QL0M80.exe"
7⤵
PID:7368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
7⤵
PID:7396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites
7⤵
PID:7516

C:\Recovery\M56G11I1V12G2RY6F70.exe
"C:\Recovery\M56G11I1V12G2RY6F70.exe"
7⤵
PID:8060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%205%20mobile%20apk%20no%20virus%20free%20download
7⤵
PID:4348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=club%20penguin
5⤵
PID:3504

C:\PerfLogs\Z40K74P2L27J7KJ2V22.exe
"C:\PerfLogs\Z40K74P2L27J7KJ2V22.exe"
5⤵
PID:3804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites
5⤵
PID:3852

C:\Program Files\F78I72L3K74Y1TC5Y57.exe
"C:\Program Files\F78I72L3K74Y1TC5Y57.exe"
5⤵
PID:3756

C:\Program Files (x86)\B33K76X6P71P8EV2M72.exe
"C:\Program Files (x86)\B33K76X6P71P8EV2M72.exe"
5⤵
PID:4728

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate
5⤵
PID:5080

C:\MSOCache\C83C35Y3Z53O4NK4K43.exe
"C:\MSOCache\C83C35Y3Z53O4NK4K43.exe"
3⤵
PID:2640

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:748

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:756

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:848

C:\$Recycle.Bin\U43U38C7X66H4UM7M66.exe
"C:\$Recycle.Bin\U43U38C7X66H4UM7M66.exe"
5⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 560
6⤵
- Program crash
PID:1912

C:\Documents and Settings\R13F45R6M45H0HO3Y57.exe
"C:\Documents and Settings\R13F45R6M45H0HO3Y57.exe"
5⤵
PID:2184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:4172

C:\MSOCache\J06V66L6T36Y2IL5W22.exe
"C:\MSOCache\J06V66L6T36Y2IL5W22.exe"
5⤵
PID:4344

C:\H2.exe
"C:\H2.exe"
6⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3872

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7756

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7928

C:\PerfLogs\E47I88I4Q06T3SE1H17.exe
"C:\PerfLogs\E47I88I4Q06T3SE1H17.exe"
5⤵
PID:5528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected
5⤵
PID:5680

C:\Program Files\E51Q41W8L17A3KK3R51.exe
"C:\Program Files\E51Q41W8L17A3KK3R51.exe"
5⤵
PID:7044

C:\PerfLogs\R23Y37P0M87E4XN4N17.exe
"C:\PerfLogs\R23Y37P0M87E4XN4N17.exe"
3⤵
PID:1484

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:680

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1696

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2672

C:\$Recycle.Bin\D28X30N0R74J5BO3N17.exe
"C:\$Recycle.Bin\D28X30N0R74J5BO3N17.exe"
5⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 560
6⤵
- Program crash
PID:2760

C:\Documents and Settings\R11H06T7W35K7UA1W07.exe
"C:\Documents and Settings\R11H06T7W35K7UA1W07.exe"
5⤵
PID:2320

C:\H2.exe
"C:\H2.exe"
6⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:3684

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4628

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2740

C:\$Recycle.Bin\K80E07H7M15G1UV4O28.exe
"C:\$Recycle.Bin\K80E07H7M15G1UV4O28.exe"
7⤵
PID:6156

C:\Documents and Settings\S56W56E8E41V2KH2H66.exe
"C:\Documents and Settings\S56W56E8E41V2KH2H66.exe"
7⤵
PID:5096

C:\MSOCache\O75T71K7I31A7PP6Y71.exe
"C:\MSOCache\O75T71K7I31A7PP6Y71.exe"
7⤵
PID:5088

C:\PerfLogs\L07B14E3L78Y3JK3U64.exe
"C:\PerfLogs\L07B14E3L78Y3JK3U64.exe"
7⤵
PID:8216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
7⤵
PID:8304

C:\MSOCache\X64H15C6Q10B2GC4J62.exe
"C:\MSOCache\X64H15C6Q10B2GC4J62.exe"
5⤵
PID:3936

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:4048

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5624

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5444

C:\PerfLogs\Y73L06W5J07I1TM3W06.exe
"C:\PerfLogs\Y73L06W5J07I1TM3W06.exe"
5⤵
PID:556

C:\H2.exe
"C:\H2.exe"
6⤵
PID:7876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method
5⤵
PID:3404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=club%20penguin
5⤵
PID:2304

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:2
6⤵
PID:4548

C:\Program Files\D06C42V6F77N6CK1P46.exe
"C:\Program Files\D06C42V6F77N6CK1P46.exe"
5⤵
PID:1928

C:\Program Files (x86)\N22N16E7B71C2ZO4Y72.exe
"C:\Program Files (x86)\N22N16E7B71C2ZO4Y72.exe"
5⤵
PID:3316

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus
5⤵
PID:2128

C:\ProgramData\H01B22W0L63Z3CP1Z55.exe
"C:\ProgramData\H01B22W0L63Z3CP1Z55.exe"
5⤵
PID:3004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=mcafee%20vs%20norton%202024%20free
5⤵
PID:2112

C:\Recovery\W05X47M2Y21M6CR4V43.exe
"C:\Recovery\W05X47M2Y21M6CR4V43.exe"
5⤵
PID:2320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=system%20to%20user%20exploit%20bypass%20undetect%202027%20method%20free%20fud
5⤵
PID:3128

C:\Users\K57X01N4T81C4DN0J77.exe
"C:\Users\K57X01N4T81C4DN0J77.exe"
5⤵
PID:3480

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%202%20buy%20large%20amounts%20of%20highly%20illegal%20substances%20undetected%202039%20method
5⤵
PID:2940

C:\Windows\M80Y75P2J76K4QH0Q25.exe
"C:\Windows\M80Y75P2J76K4QH0Q25.exe"
5⤵
PID:3584

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:6240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=system%20to%20user%20exploit%20bypass%20undetect%202027%20method%20free%20fud
5⤵
PID:6352

C:\Program Files\U70A68S1C51O0VI2A33.exe
"C:\Program Files\U70A68S1C51O0VI2A33.exe"
3⤵
PID:1820

C:\H2.exe
"C:\H2.exe"
4⤵
PID:264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:3056

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2296

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1644

C:\$Recycle.Bin\R58N47J1B10R3VW5K64.exe
"C:\$Recycle.Bin\R58N47J1B10R3VW5K64.exe"
5⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 540
6⤵
- Program crash
PID:2412

C:\Documents and Settings\F03E76W5E34W6NJ6W46.exe
"C:\Documents and Settings\F03E76W5E34W6NJ6W46.exe"
5⤵
PID:2976

C:\MSOCache\E40N62X4V03X3IZ8P06.exe
"C:\MSOCache\E40N62X4V03X3IZ8P06.exe"
5⤵
PID:4212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%205%20mobile%20apk%20no%20virus%20free%20download
5⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:6660

C:\Program Files (x86)\Q25F40L6Y01G3QV5I67.exe
"C:\Program Files (x86)\Q25F40L6Y01G3QV5I67.exe"
3⤵
PID:2836

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:2320

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2784

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1604

C:\$Recycle.Bin\R58N47J1B10R3VW5K64.exe
"C:\$Recycle.Bin\R58N47J1B10R3VW5K64.exe"
5⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 560
6⤵
- Program crash
PID:1644

C:\Documents and Settings\G38L06J6N66F7UH1G36.exe
"C:\Documents and Settings\G38L06J6N66F7UH1G36.exe"
5⤵
PID:3972

C:\MSOCache\V42X02H1B25K1NR0E11.exe
"C:\MSOCache\V42X02H1B25K1NR0E11.exe"
5⤵
PID:3568

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20remove%20virus%202024%20free%20method
5⤵
PID:4464

C:\PerfLogs\V60C87N5Y12N6BR5A14.exe
"C:\PerfLogs\V60C87N5Y12N6BR5A14.exe"
5⤵
PID:4752

C:\Program Files\Q08Q87V6Q58K5JO6E26.exe
"C:\Program Files\Q08Q87V6Q58K5JO6E26.exe"
5⤵
PID:2408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus%20builder%20legit%20free%20download%20no%20virus
5⤵
PID:1096

C:\Program Files (x86)\T73X24F2E27X7UI0N44.exe
"C:\Program Files (x86)\T73X24F2E27X7UI0N44.exe"
5⤵
PID:7660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7988

C:\ProgramData\J58B80U7X86G3GF5U46.exe
"C:\ProgramData\J58B80U7X86G3GF5U46.exe"
3⤵
PID:2880

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:1920

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2324

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2168

C:\$Recycle.Bin\C32H86R1B08S4ID7D85.exe
"C:\$Recycle.Bin\C32H86R1B08S4ID7D85.exe"
5⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 540
6⤵
- Program crash
PID:3056

C:\Documents and Settings\M51J48Y7O20Y3DY2O65.exe
"C:\Documents and Settings\M51J48Y7O20Y3DY2O65.exe"
5⤵
PID:3332

C:\MSOCache\P15M67N3Z68J8ZW4U16.exe
"C:\MSOCache\P15M67N3Z68J8ZW4U16.exe"
5⤵
PID:3328

C:\PerfLogs\Z78N53E6G22M5YS8L47.exe
"C:\PerfLogs\Z78N53E6G22M5YS8L47.exe"
5⤵
PID:2308

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8072

C:\Program Files\Q27T10B7U80Q8SC5E41.exe
"C:\Program Files\Q27T10B7U80Q8SC5E41.exe"
5⤵
PID:4432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%205%20mobile%20apk%20no%20virus%20free%20download
5⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7636

C:\Program Files (x86)\B85E81X2C00F3QE8F41.exe
"C:\Program Files (x86)\B85E81X2C00F3QE8F41.exe"
5⤵
PID:7644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=why%20am%20i%20extremely%20gay%3F
5⤵
PID:2996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=system%20to%20user%20exploit%20bypass%20undetect%202027%20method%20free%20fud
5⤵
PID:8956

C:\Recovery\O65R81R3T25L6KX8V64.exe
"C:\Recovery\O65R81R3T25L6KX8V64.exe"
3⤵
PID:300

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:2548

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3008

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:828

C:\$Recycle.Bin\R11H06T7W35K7UA1W07.exe
"C:\$Recycle.Bin\R11H06T7W35K7UA1W07.exe"
5⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 560
6⤵
- Program crash
PID:1920

C:\Documents and Settings\I84J56C2F63M7IR8O10.exe
"C:\Documents and Settings\I84J56C2F63M7IR8O10.exe"
5⤵
PID:1924

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6616

C:\MSOCache\C76H07Y4Z70R7SH8E61.exe
"C:\MSOCache\C76H07Y4Z70R7SH8E61.exe"
5⤵
PID:3320

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5888

C:\PerfLogs\Y16J40D4Q64F3BE8W27.exe
"C:\PerfLogs\Y16J40D4Q64F3BE8W27.exe"
5⤵
PID:3884

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4552

C:\Program Files\D82M88K7K11V8XA2R53.exe
"C:\Program Files\D82M88K7K11V8XA2R53.exe"
5⤵
PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:4340

C:\Program Files (x86)\N74M80A4H52X2TL6Q11.exe
"C:\Program Files (x86)\N74M80A4H52X2TL6Q11.exe"
5⤵
PID:6020

C:\ProgramData\H83T84X1R17K3ZP6B53.exe
"C:\ProgramData\H83T84X1R17K3ZP6B53.exe"
5⤵
PID:7792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected
5⤵
PID:8016

C:\Recovery\Y51X01J5O85J4DS4K20.exe
"C:\Recovery\Y51X01J5O85J4DS4K20.exe"
5⤵
PID:7264

C:\Users\M05O30X0R10P7UF5V01.exe
"C:\Users\M05O30X0R10P7UF5V01.exe"
5⤵
PID:8596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=why%20am%20i%20extremely%20gay%3F
5⤵
PID:8612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:8864

C:\Users\Y01C65B4Q28A2HC3E00.exe
"C:\Users\Y01C65B4Q28A2HC3E00.exe"
3⤵
PID:876

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:1636

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2428

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3056

C:\$Recycle.Bin\H44T47B2S72S1AG8N46.exe
"C:\$Recycle.Bin\H44T47B2S72S1AG8N46.exe"
5⤵
PID:3120

C:\Documents and Settings\Q27T10B7U80Q8SC5E41.exe
"C:\Documents and Settings\Q27T10B7U80Q8SC5E41.exe"
5⤵
PID:2448

C:\MSOCache\R51B16Z2X08A7XD5G57.exe
"C:\MSOCache\R51B16Z2X08A7XD5G57.exe"
5⤵
PID:4744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virus.exe
5⤵
PID:4804

C:\PerfLogs\U68Q40G3O66Y0OZ8S83.exe
"C:\PerfLogs\U68Q40G3O66Y0OZ8S83.exe"
5⤵
PID:4948

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected
5⤵
PID:5040

C:\Program Files\S18V27A2A35W7ME4B87.exe
"C:\Program Files\S18V27A2A35W7ME4B87.exe"
5⤵
PID:5088

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:2420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:4800

C:\Program Files (x86)\X23T58V8Z25J4KX1Y35.exe
"C:\Program Files (x86)\X23T58V8Z25J4KX1Y35.exe"
5⤵
PID:4232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
5⤵
PID:4060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20send%20virus%202%20friend%20undetected
5⤵
PID:5392

C:\ProgramData\C11D64H8N73F8LW3G85.exe
"C:\ProgramData\C11D64H8N73F8LW3G85.exe"
5⤵
PID:6052

C:\Recovery\U42F88D1H03J3KL7W30.exe
"C:\Recovery\U42F88D1H03J3KL7W30.exe"
5⤵
PID:7096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:2912

C:\Users\X07T87J3X27C3GE5V10.exe
"C:\Users\X07T87J3X27C3GE5V10.exe"
5⤵
PID:7496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20do%20i%20make%20sure%20i%20deeply%20enjoy%20anal%20sex
5⤵
PID:7568

C:\Windows\Y78R47N7L21D6ST8U78.exe
"C:\Windows\Y78R47N7L21D6ST8U78.exe"
5⤵
PID:7852

C:\Windows\D60M26I5G73Y0JZ2R52.exe
"C:\Windows\D60M26I5G73Y0JZ2R52.exe"
3⤵
PID:268

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:2520

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3312

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3524

C:\$Recycle.Bin\T05P43C3K85X0GV4G36.exe
"C:\$Recycle.Bin\T05P43C3K85X0GV4G36.exe"
5⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 560
6⤵
- Program crash
PID:408

C:\Documents and Settings\K32A02H1M65F4AA7A78.exe
"C:\Documents and Settings\K32A02H1M65F4AA7A78.exe"
5⤵
PID:3276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20tell%20if%20i%20pregunate
5⤵
PID:5352

C:\MSOCache\Y83U47C5W63L3EB0G08.exe
"C:\MSOCache\Y83U47C5W63L3EB0G08.exe"
5⤵
PID:5364

C:\PerfLogs\R47M58I3L05K7NW4I82.exe
"C:\PerfLogs\R47M58I3L05K7NW4I82.exe"
5⤵
PID:7356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:7552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=gta%205%20mobile%20apk%20no%20virus%20free%20download
3⤵
PID:3616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=skrillex%20scary%20monster%20and%20nice%20sprites
3⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
3⤵
PID:5708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how%20to%20get%20free%20money%20no%20virus
3⤵
PID:5944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=why%20am%20i%20extremely%20gay%3F
3⤵
PID:8332

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\H2.exe
Filesize
22KB

MD5
669902e0baf0307086c9d347c66152a8

SHA1
96a5cc7d488c2273ae58a3ef22bc468d61684132

SHA256
900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea

SHA512
06f6538048379ce7c861671592b6d04989c4b3400b4875cc50b889404a731e3602aa64a78be654a1b151ae3e39419d21f6877b8eb6c6dfc214a653ef276d227f

Download Submit
memory/268-151-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/300-111-0x00000000013C0000-0x00000000013CC000-memory.dmp

Filesize
48KB

Download
memory/556-338-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/876-133-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/1308-162-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1484-69-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/1612-137-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/1820-77-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/1924-334-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1928-375-0x00000000012A0000-0x00000000012AC000-memory.dmp

Filesize
48KB

Download
memory/1968-28-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-9-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-8-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/1988-148-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download
memory/2020-0-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/2216-159-0x00000000000B0000-0x00000000000BC000-memory.dmp

Filesize
48KB

Download
memory/2272-134-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/2308-332-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/2320-160-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2384-139-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2408-372-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2504-149-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/2544-41-0x0000000001190000-0x000000000119C000-memory.dmp

Filesize
48KB

Download
memory/2636-39-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2640-52-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/2836-81-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2864-147-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2880-86-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/3004-380-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/3240-291-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/3264-302-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/3316-280-0x00000000010C0000-0x00000000010CC000-memory.dmp

Filesize
48KB

Download
memory/3320-251-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/3480-301-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/3568-277-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3584-313-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/3804-364-0x00000000011E0000-0x00000000011EC000-memory.dmp

Filesize
48KB

Download
memory/3884-240-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/3936-237-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/4344-287-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

Filesize
48KB

Download
memory/4728-306-0x00000000012B0000-0x00000000012BC000-memory.dmp

Filesize
48KB

Download
memory/4948-307-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/5088-305-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/5536-339-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

Filesize
48KB

Download
memory/7792-389-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/7852-388-0x0000000001360000-0x000000000136C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads