Analysis
-
max time kernel
93s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 18:15
Static task
static1
Behavioral task
behavioral1
Sample
H2.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
H2.exe
Resource
win10v2004-20240611-en
Errors
General
-
Target
H2.exe
-
Size
22KB
-
MD5
669902e0baf0307086c9d347c66152a8
-
SHA1
96a5cc7d488c2273ae58a3ef22bc468d61684132
-
SHA256
900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea
-
SHA512
06f6538048379ce7c861671592b6d04989c4b3400b4875cc50b889404a731e3602aa64a78be654a1b151ae3e39419d21f6877b8eb6c6dfc214a653ef276d227f
-
SSDEEP
384:Ql5PmFkkRZNVbwpumK3pms4eZXsKjX5msMU80UVIx2bOKJSyol+wTMUufNpJDlVX:QlekkLmKPXsK06UbTQVM/nlQ9
Malware Config
Signatures
-
Processes:
H2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
H2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe -
Possible privilege escalation attempt 50 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 1840 takeown.exe 2984 takeown.exe 3440 takeown.exe 2408 icacls.exe 14312 icacls.exe 1048 icacls.exe 3604 icacls.exe 8648 takeown.exe 10648 icacls.exe 15668 takeown.exe 16760 icacls.exe 2016 takeown.exe 2016 icacls.exe 5864 takeown.exe 9912 takeown.exe 8976 icacls.exe 15188 icacls.exe 10004 takeown.exe 724 takeown.exe 448 icacls.exe 5876 takeown.exe 17020 icacls.exe 5264 takeown.exe 8196 icacls.exe 16208 takeown.exe 1788 takeown.exe 4448 icacls.exe 15508 takeown.exe 15200 takeown.exe 16456 takeown.exe 9464 takeown.exe 14052 takeown.exe 116 takeown.exe 1312 takeown.exe 4632 icacls.exe 6568 takeown.exe 12412 icacls.exe 5112 takeown.exe 6732 icacls.exe 16768 icacls.exe 10656 takeown.exe 12656 takeown.exe 3408 icacls.exe 5064 icacls.exe 8800 takeown.exe 14556 takeown.exe 11984 icacls.exe 17088 icacls.exe 5780 takeown.exe 11548 takeown.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
H2.exeH2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation H2.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation H2.exe -
Executes dropped EXE 6 IoCs
Processes:
H2.exeB81L07S5S46X3ZB0O33.exeR27V82T0Q68C2BB1R31.exeT75W33W2G31M7YV7E55.exeE15Q27Z0J14L3XD5G35.exeX01H48X2Z80I0MT3A76.exepid process 1108 H2.exe 448 B81L07S5S46X3ZB0O33.exe 4544 R27V82T0Q68C2BB1R31.exe 4152 T75W33W2G31M7YV7E55.exe 3424 E15Q27Z0J14L3XD5G35.exe 396 X01H48X2Z80I0MT3A76.exe -
Modifies file permissions 1 TTPs 50 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 3408 icacls.exe 3604 icacls.exe 8648 takeown.exe 9912 takeown.exe 724 takeown.exe 2408 icacls.exe 15200 takeown.exe 14052 takeown.exe 17020 icacls.exe 8976 icacls.exe 16456 takeown.exe 1312 takeown.exe 10656 takeown.exe 5864 takeown.exe 5264 takeown.exe 12412 icacls.exe 16760 icacls.exe 5780 takeown.exe 2984 takeown.exe 4448 icacls.exe 8196 icacls.exe 14556 takeown.exe 8800 takeown.exe 12656 takeown.exe 1048 icacls.exe 2016 icacls.exe 9464 takeown.exe 15508 takeown.exe 15188 icacls.exe 448 icacls.exe 6568 takeown.exe 11548 takeown.exe 116 takeown.exe 2016 takeown.exe 4632 icacls.exe 3440 takeown.exe 5112 takeown.exe 10648 icacls.exe 14312 icacls.exe 15668 takeown.exe 17088 icacls.exe 10004 takeown.exe 6732 icacls.exe 1788 takeown.exe 5064 icacls.exe 5876 takeown.exe 11984 icacls.exe 1840 takeown.exe 16208 takeown.exe 16768 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
H2.exeH2.exeR27V82T0Q68C2BB1R31.exeT75W33W2G31M7YV7E55.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\H2.exe" H2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\H2.exe" H2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\Documents and Settings\\R27V82T0Q68C2BB1R31.exe" R27V82T0Q68C2BB1R31.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\PerfLogs\\T75W33W2G31M7YV7E55.exe" T75W33W2G31M7YV7E55.exe -
Processes:
H2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe -
Drops file in Program Files directory 2 IoCs
Processes:
H2.exedescription ioc process File created C:\Program Files\E15Q27Z0J14L3XD5G35.exe H2.exe File created C:\Program Files (x86)\X01H48X2Z80I0MT3A76.exe H2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3604 448 WerFault.exe B81L07S5S46X3ZB0O33.exe 3228 4476 WerFault.exe Q61B34D8W88F7MQ3L78.exe 5836 2288 WerFault.exe P88N04G2K82P5FM2O82.exe 6488 2360 WerFault.exe J64E26F3B66N2UC0J23.exe 6556 3944 WerFault.exe B20E48D4F50Q1BH6D01.exe 6128 4572 WerFault.exe B01M73F5P55X2TP8V70.exe 6740 896 WerFault.exe S55H11I1Q58T1LZ6K30.exe 14540 6240 WerFault.exe 18188 3592 WerFault.exe H2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
H2.exepid process 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe 1108 H2.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
H2.exeH2.exetakeown.exeB81L07S5S46X3ZB0O33.exeR27V82T0Q68C2BB1R31.exeT75W33W2G31M7YV7E55.exedescription pid process Token: SeDebugPrivilege 116 H2.exe Token: SeDebugPrivilege 1108 H2.exe Token: SeDebugPrivilege 1108 H2.exe Token: SeTakeOwnershipPrivilege 1788 takeown.exe Token: SeDebugPrivilege 448 B81L07S5S46X3ZB0O33.exe Token: SeDebugPrivilege 4544 R27V82T0Q68C2BB1R31.exe Token: SeDebugPrivilege 4152 T75W33W2G31M7YV7E55.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
H2.exeH2.execmd.exedescription pid process target process PID 116 wrote to memory of 1108 116 H2.exe H2.exe PID 116 wrote to memory of 1108 116 H2.exe H2.exe PID 116 wrote to memory of 1108 116 H2.exe H2.exe PID 1108 wrote to memory of 4276 1108 H2.exe cmd.exe PID 1108 wrote to memory of 4276 1108 H2.exe cmd.exe PID 1108 wrote to memory of 4276 1108 H2.exe cmd.exe PID 4276 wrote to memory of 1788 4276 cmd.exe takeown.exe PID 4276 wrote to memory of 1788 4276 cmd.exe takeown.exe PID 4276 wrote to memory of 1788 4276 cmd.exe takeown.exe PID 4276 wrote to memory of 3408 4276 cmd.exe icacls.exe PID 4276 wrote to memory of 3408 4276 cmd.exe icacls.exe PID 4276 wrote to memory of 3408 4276 cmd.exe icacls.exe PID 1108 wrote to memory of 448 1108 H2.exe B81L07S5S46X3ZB0O33.exe PID 1108 wrote to memory of 448 1108 H2.exe B81L07S5S46X3ZB0O33.exe PID 1108 wrote to memory of 448 1108 H2.exe B81L07S5S46X3ZB0O33.exe PID 1108 wrote to memory of 4544 1108 H2.exe R27V82T0Q68C2BB1R31.exe PID 1108 wrote to memory of 4544 1108 H2.exe R27V82T0Q68C2BB1R31.exe PID 1108 wrote to memory of 4544 1108 H2.exe R27V82T0Q68C2BB1R31.exe PID 1108 wrote to memory of 4152 1108 H2.exe T75W33W2G31M7YV7E55.exe PID 1108 wrote to memory of 4152 1108 H2.exe T75W33W2G31M7YV7E55.exe PID 1108 wrote to memory of 4152 1108 H2.exe T75W33W2G31M7YV7E55.exe PID 1108 wrote to memory of 3424 1108 H2.exe E15Q27Z0J14L3XD5G35.exe PID 1108 wrote to memory of 3424 1108 H2.exe E15Q27Z0J14L3XD5G35.exe PID 1108 wrote to memory of 3424 1108 H2.exe E15Q27Z0J14L3XD5G35.exe PID 1108 wrote to memory of 396 1108 H2.exe X01H48X2Z80I0MT3A76.exe PID 1108 wrote to memory of 396 1108 H2.exe X01H48X2Z80I0MT3A76.exe PID 1108 wrote to memory of 396 1108 H2.exe X01H48X2Z80I0MT3A76.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
H2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" H2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\H2.exe"C:\Users\Admin\AppData\Local\Temp\H2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\H2.exe"C:\H2.exe"2⤵
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System324⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\B81L07S5S46X3ZB0O33.exe"C:\$Recycle.Bin\B81L07S5S46X3ZB0O33.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 8924⤵
- Program crash
-
C:\Documents and Settings\R27V82T0Q68C2BB1R31.exe"C:\Documents and Settings\R27V82T0Q68C2BB1R31.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\Q61B34D8W88F7MQ3L78.exe"C:\$Recycle.Bin\Q61B34D8W88F7MQ3L78.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 8926⤵
- Program crash
-
C:\Documents and Settings\B01M73F5P55X2TP8V70.exe"C:\Documents and Settings\B01M73F5P55X2TP8V70.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\ProgramData\I84I55Y5N63I3BY8K27.exe"C:\ProgramData\I84I55Y5N63I3BY8K27.exe"7⤵
-
C:\PerfLogs\S06E32E8Q63P6LR7G52.exe"C:\PerfLogs\S06E32E8Q63P6LR7G52.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\M40Y33G3H33Q6AO4E71.exe"C:\Program Files\M40Y33G3H33Q6AO4E71.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\A45Y38D3T16C8VF1C54.exe"C:\$Recycle.Bin\A45Y38D3T16C8VF1C54.exe"7⤵
-
C:\Program Files (x86)\F22E02M0N16C4HI8F02.exe"C:\Program Files (x86)\F22E02M0N16C4HI8F02.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\ProgramData\B43Y22L0X66J0UZ0U26.exe"C:\ProgramData\B43Y22L0X66J0UZ0U26.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Recovery\M42M40Q0Q48G8BG4H04.exe"C:\Recovery\M42M40Q0Q48G8BG4H04.exe"5⤵
-
C:\Users\E15Z32R4I35U5BH0E85.exe"C:\Users\E15Z32R4I35U5BH0E85.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\C86I11L8Y60W7UV7G02.exe"C:\Windows\C86I11L8Y60W7UV7G02.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047186⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%202%20remove%20virus5⤵
-
C:\PerfLogs\T75W33W2G31M7YV7E55.exe"C:\PerfLogs\T75W33W2G31M7YV7E55.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\P88N04G2K82P5FM2O82.exe"C:\$Recycle.Bin\P88N04G2K82P5FM2O82.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 9006⤵
- Program crash
-
C:\Documents and Settings\S02L45J2U66W7LN3U74.exe"C:\Documents and Settings\S02L45J2U66W7LN3U74.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\PerfLogs\G40O23I5T14O3YR4V45.exe"C:\PerfLogs\G40O23I5T14O3YR4V45.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\K75Q83I4C66E3TG6Z76.exe"C:\Program Files\K75Q83I4C66E3TG6Z76.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files (x86)\C58X81O2S63K0DM3R50.exe"C:\Program Files (x86)\C58X81O2S63K0DM3R50.exe"5⤵
-
C:\ProgramData\C35S24Q3J62H2ML0C57.exe"C:\ProgramData\C35S24Q3J62H2ML0C57.exe"5⤵
-
C:\Recovery\L37U86N6B71J0DH5G54.exe"C:\Recovery\L37U86N6B71J0DH5G54.exe"5⤵
-
C:\Users\D18U61X7E63M6VG1D78.exe"C:\Users\D18U61X7E63M6VG1D78.exe"5⤵
-
C:\Windows\M50H47Z6H63Z8ES8D21.exe"C:\Windows\M50H47Z6H63Z8ES8D21.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected5⤵
-
C:\Program Files\E15Q27Z0J14L3XD5G35.exe"C:\Program Files\E15Q27Z0J14L3XD5G35.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\J64E26F3B66N2UC0J23.exe"C:\$Recycle.Bin\J64E26F3B66N2UC0J23.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 8926⤵
- Program crash
-
C:\Documents and Settings\M64R15O8A40I5TH7W05.exe"C:\Documents and Settings\M64R15O8A40I5TH7W05.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\PerfLogs\R58C41N5M76L1EY8I22.exe"C:\PerfLogs\R58C41N5M76L1EY8I22.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\K13V28J4G74I0UU2K22.exe"C:\Program Files\K13V28J4G74I0UU2K22.exe"5⤵
-
C:\Program Files (x86)\G83A51O0C24A0ZB5V01.exe"C:\Program Files (x86)\G83A51O0C24A0ZB5V01.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\ProgramData\B14O85S5K83Y3XX7F17.exe"C:\ProgramData\B14O85S5K83Y3XX7F17.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Recovery\F26G04Z0I44D6LQ7P30.exe"C:\Recovery\F26G04Z0I44D6LQ7P30.exe"5⤵
-
C:\Users\G73I80U4E46I3KR1N04.exe"C:\Users\G73I80U4E46I3KR1N04.exe"5⤵
-
C:\Windows\E01J78G5N68C7WY2G02.exe"C:\Windows\E01J78G5N68C7WY2G02.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files (x86)\X01H48X2Z80I0MT3A76.exe"C:\Program Files (x86)\X01H48X2Z80I0MT3A76.exe"3⤵
- Executes dropped EXE
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\B01M73F5P55X2TP8V70.exe"C:\$Recycle.Bin\B01M73F5P55X2TP8V70.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 9006⤵
- Program crash
-
C:\Documents and Settings\R84S68F8H88Z6EV4Q34.exe"C:\Documents and Settings\R84S68F8H88Z6EV4Q34.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\PerfLogs\G40O23I5T14O3YR4V45.exe"C:\PerfLogs\G40O23I5T14O3YR4V45.exe"5⤵
-
C:\Program Files\Q00U76O7J01Y5OV1A37.exe"C:\Program Files\Q00U76O7J01Y5OV1A37.exe"5⤵
-
C:\Program Files (x86)\Y01Q53Q5Z10R2QX7Z26.exe"C:\Program Files (x86)\Y01Q53Q5Z10R2QX7Z26.exe"5⤵
-
C:\ProgramData\N17B04O7B44W3SD5I72.exe"C:\ProgramData\N17B04O7B44W3SD5I72.exe"5⤵
-
C:\Recovery\A14I00X0H03Q2HC0A00.exe"C:\Recovery\A14I00X0H03Q2HC0A00.exe"5⤵
-
C:\Users\H17R85P0N25U8QG5Z56.exe"C:\Users\H17R85P0N25U8QG5Z56.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\E04C64B2J66U7VC6S80.exe"C:\Windows\E04C64B2J66U7VC6S80.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge5⤵
-
C:\ProgramData\U43Z02Z4H26Q2YD6I33.exe"C:\ProgramData\U43Z02Z4H26Q2YD6I33.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\I34N27E3O85T5MR8I50.exe"C:\$Recycle.Bin\I34N27E3O85T5MR8I50.exe"5⤵
-
C:\Documents and Settings\S81F57F8O72P8UL7J53.exe"C:\Documents and Settings\S81F57F8O72P8UL7J53.exe"5⤵
-
C:\PerfLogs\Z01W48L1C10A3GS6D34.exe"C:\PerfLogs\Z01W48L1C10A3GS6D34.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Program Files\G83A51O0C24A0ZB5V01.exe"C:\Program Files\G83A51O0C24A0ZB5V01.exe"5⤵
-
C:\Program Files (x86)\Q33F14U2S12K3QF2Z84.exe"C:\Program Files (x86)\Q33F14U2S12K3QF2Z84.exe"5⤵
-
C:\ProgramData\O04O83O6I46M5JU0B02.exe"C:\ProgramData\O04O83O6I46M5JU0B02.exe"5⤵
-
C:\Recovery\Z11W25Y1Z28A2AG5K71.exe"C:\Recovery\Z11W25Y1Z28A2AG5K71.exe"5⤵
-
C:\Users\P82S58E0F41Q8DP7M25.exe"C:\Users\P82S58E0F41Q8DP7M25.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\N88A88K4U76S6GY5R88.exe"C:\Windows\N88A88K4U76S6GY5R88.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=why%20am%20i%20extremely%20gay%3F5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected5⤵
-
C:\Recovery\Q85S65B7O64X4LN1Q00.exe"C:\Recovery\Q85S65B7O64X4LN1Q00.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\B20E48D4F50Q1BH6D01.exe"C:\$Recycle.Bin\B20E48D4F50Q1BH6D01.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 9006⤵
- Program crash
-
C:\Documents and Settings\C53W62E4Q50L0TM6H55.exe"C:\Documents and Settings\C53W62E4Q50L0TM6H55.exe"5⤵
-
C:\PerfLogs\A71X61R5Z83E5FS7A53.exe"C:\PerfLogs\A71X61R5Z83E5FS7A53.exe"5⤵
-
C:\Program Files\J41B02R2S87K6XW2I26.exe"C:\Program Files\J41B02R2S87K6XW2I26.exe"5⤵
-
C:\Program Files (x86)\J78G37S3W04O3XK8T52.exe"C:\Program Files (x86)\J78G37S3W04O3XK8T52.exe"5⤵
-
C:\ProgramData\K74T36T2D87E5OB3M72.exe"C:\ProgramData\K74T36T2D87E5OB3M72.exe"5⤵
-
C:\Recovery\W11R74U7D57N2LR2P02.exe"C:\Recovery\W11R74U7D57N2LR2P02.exe"5⤵
-
C:\Users\Q41A23D7I36D4TS5U11.exe"C:\Users\Q41A23D7I36D4TS5U11.exe"5⤵
-
C:\Windows\C45W43N1G02H3AU5W00.exe"C:\Windows\C45W43N1G02H3AU5W00.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047186⤵
-
C:\Users\Y10Z04W0Q83C8UK0I07.exe"C:\Users\Y10Z04W0Q83C8UK0I07.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\L11H24G2U42W0SD4D16.exe"C:\$Recycle.Bin\L11H24G2U42W0SD4D16.exe"5⤵
-
C:\Documents and Settings\O01V13P8T24S4RI2Q88.exe"C:\Documents and Settings\O01V13P8T24S4RI2Q88.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System328⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\PerfLogs\O38F34L4A22E2IR7G32.exe"C:\PerfLogs\O38F34L4A22E2IR7G32.exe"5⤵
-
C:\Program Files\L57N45U3V67A6NG8U88.exe"C:\Program Files\L57N45U3V67A6NG8U88.exe"5⤵
-
C:\Program Files (x86)\K37O01R1Z70A8NM6B46.exe"C:\Program Files (x86)\K37O01R1Z70A8NM6B46.exe"5⤵
-
C:\ProgramData\O30O55A6H36M2TO8E57.exe"C:\ProgramData\O30O55A6H36M2TO8E57.exe"5⤵
-
C:\Recovery\T02V51B5U06F0PR7T24.exe"C:\Recovery\T02V51B5U06F0PR7T24.exe"5⤵
-
C:\Users\Q41A23D7I36D4TS5U11.exe"C:\Users\Q41A23D7I36D4TS5U11.exe"5⤵
-
C:\Windows\B76T65J8G16D8AN6S23.exe"C:\Windows\B76T65J8G16D8AN6S23.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus%20builder%20legit%20free%20download%20no%20virus5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 32805⤵
- Program crash
-
C:\Windows\C26J10Y0J31Y1IH5E17.exe"C:\Windows\C26J10Y0J31Y1IH5E17.exe"3⤵
-
C:\H2.exe"C:\H2.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System326⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\$Recycle.Bin\S55H11I1Q58T1LZ6K30.exe"C:\$Recycle.Bin\S55H11I1Q58T1LZ6K30.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 8926⤵
- Program crash
-
C:\Documents and Settings\X14D54Q5S26B0ZG3F06.exe"C:\Documents and Settings\X14D54Q5S26B0ZG3F06.exe"5⤵
-
C:\PerfLogs\U84G47O5G62V0DZ2D15.exe"C:\PerfLogs\U84G47O5G62V0DZ2D15.exe"5⤵
-
C:\H2.exe"C:\H2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"7⤵
-
C:\Program Files\C86I11L8Y60W7UV7G02.exe"C:\Program Files\C86I11L8Y60W7UV7G02.exe"5⤵
-
C:\Program Files (x86)\U00F16R6B68W0MN5Z48.exe"C:\Program Files (x86)\U00F16R6B68W0MN5Z48.exe"5⤵
-
C:\ProgramData\D18U61X7E63M6VG1D78.exe"C:\ProgramData\D18U61X7E63M6VG1D78.exe"5⤵
-
C:\Recovery\G31F72C1D41E5UD1M73.exe"C:\Recovery\G31F72C1D41E5UD1M73.exe"5⤵
-
C:\Users\P82S58E0F41Q8DP7M25.exe"C:\Users\P82S58E0F41Q8DP7M25.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=system%20to%20user%20exploit%20bypass%20undetect%202027%20method%20free%20fud5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=club%20penguin3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 448 -ip 4481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4476 -ip 44761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2288 -ip 22881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4572 -ip 45721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2360 -ip 23601⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4cc 0x51c1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2776 -ip 27761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 896 -ip 8961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2348 -ip 23481⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047181⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047181⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047181⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047181⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047181⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047181⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc047181⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 9001⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 13144 -ip 131441⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 14572 -ip 145721⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\H2.exe"C:\H2.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\H2.exeFilesize
22KB
MD5669902e0baf0307086c9d347c66152a8
SHA196a5cc7d488c2273ae58a3ef22bc468d61684132
SHA256900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea
SHA51206f6538048379ce7c861671592b6d04989c4b3400b4875cc50b889404a731e3602aa64a78be654a1b151ae3e39419d21f6877b8eb6c6dfc214a653ef276d227f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H2.exe.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b6f2d6d5d0c12549c78194121f15eb20
SHA1d37c414763dc76682c4616516c97255e388f1113
SHA2568066487482f1ed2da5c8c199f4fdaa5a7c40de780f72843cedf2745055c22023
SHA512dae8ff30a7273adb6d0ee1cb008dac54ddf2099d65df241a546868ebe28859a7b62f4b1349620eda8338361b4acc197dd9aed7ee0142a50359083c25f0069afc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
memory/116-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmpFilesize
4KB
-
memory/116-1-0x00000000009F0000-0x00000000009FC000-memory.dmpFilesize
48KB
-
memory/1108-13-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/1108-31-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB