900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 18:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

H2.exe
Size

22KB
MD5

669902e0baf0307086c9d347c66152a8
SHA1

96a5cc7d488c2273ae58a3ef22bc468d61684132
SHA256

900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea
SHA512

06f6538048379ce7c861671592b6d04989c4b3400b4875cc50b889404a731e3602aa64a78be654a1b151ae3e39419d21f6877b8eb6c6dfc214a653ef276d227f
SSDEEP

384:Ql5PmFkkRZNVbwpumK3pms4eZXsKjX5msMU80UVIx2bOKJSyol+wTMUufNpJDlVX:QlekkLmKPXsK06UbTQVM/nlQ9

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

H2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H2.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

H2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" H2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe

Possible privilege escalation attempt 50 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
1840	takeown.exe
2984	takeown.exe
3440	takeown.exe
2408	icacls.exe
14312	icacls.exe
1048	icacls.exe
3604	icacls.exe
8648	takeown.exe
10648	icacls.exe
15668	takeown.exe
16760	icacls.exe
2016	takeown.exe
2016	icacls.exe
5864	takeown.exe
9912	takeown.exe
8976	icacls.exe
15188	icacls.exe
10004	takeown.exe
724	takeown.exe
448	icacls.exe
5876	takeown.exe
17020	icacls.exe
5264	takeown.exe
8196	icacls.exe
16208	takeown.exe
1788	takeown.exe
4448	icacls.exe
15508	takeown.exe
15200	takeown.exe
16456	takeown.exe
9464	takeown.exe
14052	takeown.exe
116	takeown.exe
1312	takeown.exe
4632	icacls.exe
6568	takeown.exe
12412	icacls.exe
5112	takeown.exe
6732	icacls.exe
16768	icacls.exe
10656	takeown.exe
12656	takeown.exe
3408	icacls.exe
5064	icacls.exe
8800	takeown.exe
14556	takeown.exe
11984	icacls.exe
17088	icacls.exe
5780	takeown.exe
11548	takeown.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

H2.exeH2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	H2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	H2.exe

Executes dropped EXE 6 IoCs

Processes:

H2.exeB81L07S5S46X3ZB0O33.exeR27V82T0Q68C2BB1R31.exeT75W33W2G31M7YV7E55.exeE15Q27Z0J14L3XD5G35.exeX01H48X2Z80I0MT3A76.exe

pid process

1108 H2.exe
448 B81L07S5S46X3ZB0O33.exe
4544 R27V82T0Q68C2BB1R31.exe
4152 T75W33W2G31M7YV7E55.exe
3424 E15Q27Z0J14L3XD5G35.exe
396 X01H48X2Z80I0MT3A76.exe

Modifies file permissions 1 TTPs 50 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
3408	icacls.exe
3604	icacls.exe
8648	takeown.exe
9912	takeown.exe
724	takeown.exe
2408	icacls.exe
15200	takeown.exe
14052	takeown.exe
17020	icacls.exe
8976	icacls.exe
16456	takeown.exe
1312	takeown.exe
10656	takeown.exe
5864	takeown.exe
5264	takeown.exe
12412	icacls.exe
16760	icacls.exe
5780	takeown.exe
2984	takeown.exe
4448	icacls.exe
8196	icacls.exe
14556	takeown.exe
8800	takeown.exe
12656	takeown.exe
1048	icacls.exe
2016	icacls.exe
9464	takeown.exe
15508	takeown.exe
15188	icacls.exe
448	icacls.exe
6568	takeown.exe
11548	takeown.exe
116	takeown.exe
2016	takeown.exe
4632	icacls.exe
3440	takeown.exe
5112	takeown.exe
10648	icacls.exe
14312	icacls.exe
15668	takeown.exe
17088	icacls.exe
10004	takeown.exe
6732	icacls.exe
1788	takeown.exe
5064	icacls.exe
5876	takeown.exe
11984	icacls.exe
1840	takeown.exe
16208	takeown.exe
16768	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

H2.exeH2.exeR27V82T0Q68C2BB1R31.exeT75W33W2G31M7YV7E55.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\H2.exe"	H2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\H2.exe"	H2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\Documents and Settings\\R27V82T0Q68C2BB1R31.exe"	R27V82T0Q68C2BB1R31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\H2 = "C:\\PerfLogs\\T75W33W2G31M7YV7E55.exe"	T75W33W2G31M7YV7E55.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

H2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe

Drops file in Program Files directory 2 IoCs

Processes:

H2.exe

description ioc process

File created C:\Program Files\E15Q27Z0J14L3XD5G35.exe H2.exe
File created C:\Program Files (x86)\X01H48X2Z80I0MT3A76.exe H2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\E15Q27Z0J14L3XD5G35.exe	H2.exe
File created	C:\Program Files (x86)\X01H48X2Z80I0MT3A76.exe	H2.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3604	448	WerFault.exe	B81L07S5S46X3ZB0O33.exe
3228	4476	WerFault.exe	Q61B34D8W88F7MQ3L78.exe
5836	2288	WerFault.exe	P88N04G2K82P5FM2O82.exe
6488	2360	WerFault.exe	J64E26F3B66N2UC0J23.exe
6556	3944	WerFault.exe	B20E48D4F50Q1BH6D01.exe
6128	4572	WerFault.exe	B01M73F5P55X2TP8V70.exe
6740	896	WerFault.exe	S55H11I1Q58T1LZ6K30.exe
14540	6240	WerFault.exe
18188	3592	WerFault.exe	H2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

H2.exe

pid	process
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe
1108	H2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

H2.exeH2.exetakeown.exeB81L07S5S46X3ZB0O33.exeR27V82T0Q68C2BB1R31.exeT75W33W2G31M7YV7E55.exe

description	pid	process
Token: SeDebugPrivilege	116	H2.exe
Token: SeDebugPrivilege	1108	H2.exe
Token: SeDebugPrivilege	1108	H2.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeDebugPrivilege	448	B81L07S5S46X3ZB0O33.exe
Token: SeDebugPrivilege	4544	R27V82T0Q68C2BB1R31.exe
Token: SeDebugPrivilege	4152	T75W33W2G31M7YV7E55.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

H2.exeH2.execmd.exe

description	pid	process	target process
PID 116 wrote to memory of 1108	116	H2.exe	H2.exe
PID 116 wrote to memory of 1108	116	H2.exe	H2.exe
PID 116 wrote to memory of 1108	116	H2.exe	H2.exe
PID 1108 wrote to memory of 4276	1108	H2.exe	cmd.exe
PID 1108 wrote to memory of 4276	1108	H2.exe	cmd.exe
PID 1108 wrote to memory of 4276	1108	H2.exe	cmd.exe
PID 4276 wrote to memory of 1788	4276	cmd.exe	takeown.exe
PID 4276 wrote to memory of 1788	4276	cmd.exe	takeown.exe
PID 4276 wrote to memory of 1788	4276	cmd.exe	takeown.exe
PID 4276 wrote to memory of 3408	4276	cmd.exe	icacls.exe
PID 4276 wrote to memory of 3408	4276	cmd.exe	icacls.exe
PID 4276 wrote to memory of 3408	4276	cmd.exe	icacls.exe
PID 1108 wrote to memory of 448	1108	H2.exe	B81L07S5S46X3ZB0O33.exe
PID 1108 wrote to memory of 448	1108	H2.exe	B81L07S5S46X3ZB0O33.exe
PID 1108 wrote to memory of 448	1108	H2.exe	B81L07S5S46X3ZB0O33.exe
PID 1108 wrote to memory of 4544	1108	H2.exe	R27V82T0Q68C2BB1R31.exe
PID 1108 wrote to memory of 4544	1108	H2.exe	R27V82T0Q68C2BB1R31.exe
PID 1108 wrote to memory of 4544	1108	H2.exe	R27V82T0Q68C2BB1R31.exe
PID 1108 wrote to memory of 4152	1108	H2.exe	T75W33W2G31M7YV7E55.exe
PID 1108 wrote to memory of 4152	1108	H2.exe	T75W33W2G31M7YV7E55.exe
PID 1108 wrote to memory of 4152	1108	H2.exe	T75W33W2G31M7YV7E55.exe
PID 1108 wrote to memory of 3424	1108	H2.exe	E15Q27Z0J14L3XD5G35.exe
PID 1108 wrote to memory of 3424	1108	H2.exe	E15Q27Z0J14L3XD5G35.exe
PID 1108 wrote to memory of 3424	1108	H2.exe	E15Q27Z0J14L3XD5G35.exe
PID 1108 wrote to memory of 396	1108	H2.exe	X01H48X2Z80I0MT3A76.exe
PID 1108 wrote to memory of 396	1108	H2.exe	X01H48X2Z80I0MT3A76.exe
PID 1108 wrote to memory of 396	1108	H2.exe	X01H48X2Z80I0MT3A76.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

H2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	H2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	H2.exe

C:\Users\Admin\AppData\Local\Temp\H2.exe
"C:\Users\Admin\AppData\Local\Temp\H2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116

C:\H2.exe
"C:\H2.exe"
2⤵
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
3⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3408

C:\$Recycle.Bin\B81L07S5S46X3ZB0O33.exe
"C:\$Recycle.Bin\B81L07S5S46X3ZB0O33.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 892
4⤵
- Program crash
PID:3604

C:\Documents and Settings\R27V82T0Q68C2BB1R31.exe
"C:\Documents and Settings\R27V82T0Q68C2BB1R31.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:3944

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:116

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1048

C:\$Recycle.Bin\Q61B34D8W88F7MQ3L78.exe
"C:\$Recycle.Bin\Q61B34D8W88F7MQ3L78.exe"
5⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 892
6⤵
- Program crash
PID:3228

C:\Documents and Settings\B01M73F5P55X2TP8V70.exe
"C:\Documents and Settings\B01M73F5P55X2TP8V70.exe"
5⤵
PID:4396

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:6860

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8648

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6732

C:\ProgramData\I84I55Y5N63I3BY8K27.exe
"C:\ProgramData\I84I55Y5N63I3BY8K27.exe"
7⤵
PID:17184

C:\PerfLogs\S06E32E8Q63P6LR7G52.exe
"C:\PerfLogs\S06E32E8Q63P6LR7G52.exe"
5⤵
PID:1584

C:\H2.exe
"C:\H2.exe"
6⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:7688

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10656

C:\Program Files\M40Y33G3H33Q6AO4E71.exe
"C:\Program Files\M40Y33G3H33Q6AO4E71.exe"
5⤵
PID:3848

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:8936

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5876

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8196

C:\$Recycle.Bin\A45Y38D3T16C8VF1C54.exe
"C:\$Recycle.Bin\A45Y38D3T16C8VF1C54.exe"
7⤵
PID:14572

C:\Program Files (x86)\F22E02M0N16C4HI8F02.exe
"C:\Program Files (x86)\F22E02M0N16C4HI8F02.exe"
5⤵
PID:4136

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6788

C:\ProgramData\B43Y22L0X66J0UZ0U26.exe
"C:\ProgramData\B43Y22L0X66J0UZ0U26.exe"
5⤵
PID:3164

C:\H2.exe
"C:\H2.exe"
6⤵
PID:10548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:11660

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:17088

C:\Recovery\M42M40Q0Q48G8BG4H04.exe
"C:\Recovery\M42M40Q0Q48G8BG4H04.exe"
5⤵
PID:5540

C:\Users\E15Z32R4I35U5BH0E85.exe
"C:\Users\E15Z32R4I35U5BH0E85.exe"
5⤵
PID:1420

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:14824

C:\Windows\C86I11L8Y60W7UV7G02.exe
"C:\Windows\C86I11L8Y60W7UV7G02.exe"
5⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected
5⤵
PID:12940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
6⤵
PID:9764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exit
5⤵
PID:15872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how%202%20remove%20virus
5⤵
PID:8632

C:\PerfLogs\T75W33W2G31M7YV7E55.exe
"C:\PerfLogs\T75W33W2G31M7YV7E55.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:1536

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4448

C:\$Recycle.Bin\P88N04G2K82P5FM2O82.exe
"C:\$Recycle.Bin\P88N04G2K82P5FM2O82.exe"
5⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 900
6⤵
- Program crash
PID:5836

C:\Documents and Settings\S02L45J2U66W7LN3U74.exe
"C:\Documents and Settings\S02L45J2U66W7LN3U74.exe"
5⤵
PID:1872

C:\H2.exe
"C:\H2.exe"
6⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:9064

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5864

C:\PerfLogs\G40O23I5T14O3YR4V45.exe
"C:\PerfLogs\G40O23I5T14O3YR4V45.exe"
5⤵
PID:4856

C:\H2.exe
"C:\H2.exe"
6⤵
PID:5464

C:\Program Files\K75Q83I4C66E3TG6Z76.exe
"C:\Program Files\K75Q83I4C66E3TG6Z76.exe"
5⤵
PID:5488

C:\H2.exe
"C:\H2.exe"
6⤵
PID:10096

C:\Program Files (x86)\C58X81O2S63K0DM3R50.exe
"C:\Program Files (x86)\C58X81O2S63K0DM3R50.exe"
5⤵
PID:5208

C:\ProgramData\C35S24Q3J62H2ML0C57.exe
"C:\ProgramData\C35S24Q3J62H2ML0C57.exe"
5⤵
PID:5332

C:\Recovery\L37U86N6B71J0DH5G54.exe
"C:\Recovery\L37U86N6B71J0DH5G54.exe"
5⤵
PID:6384

C:\Users\D18U61X7E63M6VG1D78.exe
"C:\Users\D18U61X7E63M6VG1D78.exe"
5⤵
PID:7040

C:\Windows\M50H47Z6H63Z8ES8D21.exe
"C:\Windows\M50H47Z6H63Z8ES8D21.exe"
5⤵
PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
6⤵
PID:6704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=best%20way%20to%20kill%20yourself%202024%20method%20free%20ultra%20undetected
5⤵
PID:13776

C:\Program Files\E15Q27Z0J14L3XD5G35.exe
"C:\Program Files\E15Q27Z0J14L3XD5G35.exe"
3⤵
- Executes dropped EXE
PID:3424

C:\H2.exe
"C:\H2.exe"
4⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:764

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2016

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4632

C:\$Recycle.Bin\J64E26F3B66N2UC0J23.exe
"C:\$Recycle.Bin\J64E26F3B66N2UC0J23.exe"
5⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 892
6⤵
- Program crash
PID:6488

C:\Documents and Settings\M64R15O8A40I5TH7W05.exe
"C:\Documents and Settings\M64R15O8A40I5TH7W05.exe"
5⤵
PID:3368

C:\H2.exe
"C:\H2.exe"
6⤵
PID:10440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:7500

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11984

C:\PerfLogs\R58C41N5M76L1EY8I22.exe
"C:\PerfLogs\R58C41N5M76L1EY8I22.exe"
5⤵
PID:5516

C:\H2.exe
"C:\H2.exe"
6⤵
PID:8576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:8548

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8800

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10648

C:\Program Files\K13V28J4G74I0UU2K22.exe
"C:\Program Files\K13V28J4G74I0UU2K22.exe"
5⤵
PID:3628

C:\Program Files (x86)\G83A51O0C24A0ZB5V01.exe
"C:\Program Files (x86)\G83A51O0C24A0ZB5V01.exe"
5⤵
PID:1348

C:\H2.exe
"C:\H2.exe"
6⤵
PID:7212

C:\ProgramData\B14O85S5K83Y3XX7F17.exe
"C:\ProgramData\B14O85S5K83Y3XX7F17.exe"
5⤵
PID:6724

C:\H2.exe
"C:\H2.exe"
6⤵
PID:7224

C:\Recovery\F26G04Z0I44D6LQ7P30.exe
"C:\Recovery\F26G04Z0I44D6LQ7P30.exe"
5⤵
PID:6392

C:\Users\G73I80U4E46I3KR1N04.exe
"C:\Users\G73I80U4E46I3KR1N04.exe"
5⤵
PID:3276

C:\Windows\E01J78G5N68C7WY2G02.exe
"C:\Windows\E01J78G5N68C7WY2G02.exe"
5⤵
PID:7576

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6824

C:\Program Files (x86)\X01H48X2Z80I0MT3A76.exe
"C:\Program Files (x86)\X01H48X2Z80I0MT3A76.exe"
3⤵
- Executes dropped EXE
PID:396

C:\H2.exe
"C:\H2.exe"
4⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:4760

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1840

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5064

C:\$Recycle.Bin\B01M73F5P55X2TP8V70.exe
"C:\$Recycle.Bin\B01M73F5P55X2TP8V70.exe"
5⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 900
6⤵
- Program crash
PID:6128

C:\Documents and Settings\R84S68F8H88Z6EV4Q34.exe
"C:\Documents and Settings\R84S68F8H88Z6EV4Q34.exe"
5⤵
PID:3208

C:\H2.exe
"C:\H2.exe"
6⤵
PID:6980

C:\PerfLogs\G40O23I5T14O3YR4V45.exe
"C:\PerfLogs\G40O23I5T14O3YR4V45.exe"
5⤵
PID:4264

C:\Program Files\Q00U76O7J01Y5OV1A37.exe
"C:\Program Files\Q00U76O7J01Y5OV1A37.exe"
5⤵
PID:5768

C:\Program Files (x86)\Y01Q53Q5Z10R2QX7Z26.exe
"C:\Program Files (x86)\Y01Q53Q5Z10R2QX7Z26.exe"
5⤵
PID:5560

C:\ProgramData\N17B04O7B44W3SD5I72.exe
"C:\ProgramData\N17B04O7B44W3SD5I72.exe"
5⤵
PID:5820

C:\Recovery\A14I00X0H03Q2HC0A00.exe
"C:\Recovery\A14I00X0H03Q2HC0A00.exe"
5⤵
PID:6532

C:\Users\H17R85P0N25U8QG5Z56.exe
"C:\Users\H17R85P0N25U8QG5Z56.exe"
5⤵
PID:7120

C:\H2.exe
"C:\H2.exe"
6⤵
PID:12204

C:\Windows\E04C64B2J66U7VC6S80.exe
"C:\Windows\E04C64B2J66U7VC6S80.exe"
5⤵
PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=gta%206%20premium%20free%20download%20no%20virus%20undetected%203am%20challenge
5⤵
PID:5148

C:\ProgramData\U43Z02Z4H26Q2YD6I33.exe
"C:\ProgramData\U43Z02Z4H26Q2YD6I33.exe"
3⤵
PID:3792

C:\H2.exe
"C:\H2.exe"
4⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:4400

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:724

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2016

C:\$Recycle.Bin\I34N27E3O85T5MR8I50.exe
"C:\$Recycle.Bin\I34N27E3O85T5MR8I50.exe"
5⤵
PID:2776

C:\Documents and Settings\S81F57F8O72P8UL7J53.exe
"C:\Documents and Settings\S81F57F8O72P8UL7J53.exe"
5⤵
PID:5444

C:\PerfLogs\Z01W48L1C10A3GS6D34.exe
"C:\PerfLogs\Z01W48L1C10A3GS6D34.exe"
5⤵
PID:5148

C:\H2.exe
"C:\H2.exe"
6⤵
PID:11260

C:\Program Files\G83A51O0C24A0ZB5V01.exe
"C:\Program Files\G83A51O0C24A0ZB5V01.exe"
5⤵
PID:4500

C:\Program Files (x86)\Q33F14U2S12K3QF2Z84.exe
"C:\Program Files (x86)\Q33F14U2S12K3QF2Z84.exe"
5⤵
PID:2756

C:\ProgramData\O04O83O6I46M5JU0B02.exe
"C:\ProgramData\O04O83O6I46M5JU0B02.exe"
5⤵
PID:6776

C:\Recovery\Z11W25Y1Z28A2AG5K71.exe
"C:\Recovery\Z11W25Y1Z28A2AG5K71.exe"
5⤵
PID:6160

C:\Users\P82S58E0F41Q8DP7M25.exe
"C:\Users\P82S58E0F41Q8DP7M25.exe"
5⤵
PID:7596

C:\H2.exe
"C:\H2.exe"
6⤵
PID:10244

C:\Windows\N88A88K4U76S6GY5R88.exe
"C:\Windows\N88A88K4U76S6GY5R88.exe"
5⤵
PID:9796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=why%20am%20i%20extremely%20gay%3F
5⤵
PID:13052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=minecraft%20hax%20download%202024%20free%20no%20virus%20undetected
5⤵
PID:17084

C:\Recovery\Q85S65B7O64X4LN1Q00.exe
"C:\Recovery\Q85S65B7O64X4LN1Q00.exe"
3⤵
PID:3316

C:\H2.exe
"C:\H2.exe"
4⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:4832

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2984

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:448

C:\$Recycle.Bin\B20E48D4F50Q1BH6D01.exe
"C:\$Recycle.Bin\B20E48D4F50Q1BH6D01.exe"
5⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 900
6⤵
- Program crash
PID:6556

C:\Documents and Settings\C53W62E4Q50L0TM6H55.exe
"C:\Documents and Settings\C53W62E4Q50L0TM6H55.exe"
5⤵
PID:4652

C:\PerfLogs\A71X61R5Z83E5FS7A53.exe
"C:\PerfLogs\A71X61R5Z83E5FS7A53.exe"
5⤵
PID:5900

C:\Program Files\J41B02R2S87K6XW2I26.exe
"C:\Program Files\J41B02R2S87K6XW2I26.exe"
5⤵
PID:4536

C:\Program Files (x86)\J78G37S3W04O3XK8T52.exe
"C:\Program Files (x86)\J78G37S3W04O3XK8T52.exe"
5⤵
PID:6520

C:\ProgramData\K74T36T2D87E5OB3M72.exe
"C:\ProgramData\K74T36T2D87E5OB3M72.exe"
5⤵
PID:6588

C:\Recovery\W11R74U7D57N2LR2P02.exe
"C:\Recovery\W11R74U7D57N2LR2P02.exe"
5⤵
PID:6408

C:\Users\Q41A23D7I36D4TS5U11.exe
"C:\Users\Q41A23D7I36D4TS5U11.exe"
5⤵
PID:7748

C:\Windows\C45W43N1G02H3AU5W00.exe
"C:\Windows\C45W43N1G02H3AU5W00.exe"
5⤵
PID:10728

C:\H2.exe
"C:\H2.exe"
6⤵
PID:13364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=my%20computer%20is%20doing%20very%20weird%20things%20help%20me%20pls%20what%20is%20happening%20plz%20help
5⤵
PID:13356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
6⤵
PID:14108

C:\Users\Y10Z04W0Q83C8UK0I07.exe
"C:\Users\Y10Z04W0Q83C8UK0I07.exe"
3⤵
PID:2708

C:\H2.exe
"C:\H2.exe"
4⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:3236

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3440

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2408

C:\$Recycle.Bin\L11H24G2U42W0SD4D16.exe
"C:\$Recycle.Bin\L11H24G2U42W0SD4D16.exe"
5⤵
PID:2348

C:\Documents and Settings\O01V13P8T24S4RI2Q88.exe
"C:\Documents and Settings\O01V13P8T24S4RI2Q88.exe"
5⤵
PID:5652

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:7164

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9912

C:\PerfLogs\O38F34L4A22E2IR7G32.exe
"C:\PerfLogs\O38F34L4A22E2IR7G32.exe"
5⤵
PID:5496

C:\Program Files\L57N45U3V67A6NG8U88.exe
"C:\Program Files\L57N45U3V67A6NG8U88.exe"
5⤵
PID:6024

C:\Program Files (x86)\K37O01R1Z70A8NM6B46.exe
"C:\Program Files (x86)\K37O01R1Z70A8NM6B46.exe"
5⤵
PID:6508

C:\ProgramData\O30O55A6H36M2TO8E57.exe
"C:\ProgramData\O30O55A6H36M2TO8E57.exe"
5⤵
PID:2936

C:\Recovery\T02V51B5U06F0PR7T24.exe
"C:\Recovery\T02V51B5U06F0PR7T24.exe"
5⤵
PID:6184

C:\Users\Q41A23D7I36D4TS5U11.exe
"C:\Users\Q41A23D7I36D4TS5U11.exe"
5⤵
PID:7584

C:\Windows\B76T65J8G16D8AN6S23.exe
"C:\Windows\B76T65J8G16D8AN6S23.exe"
5⤵
PID:9016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=virus%20builder%20legit%20free%20download%20no%20virus
5⤵
PID:11404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 3280
5⤵
- Program crash
PID:18188

C:\Windows\C26J10Y0J31Y1IH5E17.exe
"C:\Windows\C26J10Y0J31Y1IH5E17.exe"
3⤵
PID:4404

C:\H2.exe
"C:\H2.exe"
4⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
5⤵
PID:4700

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5112

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3604

C:\$Recycle.Bin\S55H11I1Q58T1LZ6K30.exe
"C:\$Recycle.Bin\S55H11I1Q58T1LZ6K30.exe"
5⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 892
6⤵
- Program crash
PID:6740

C:\Documents and Settings\X14D54Q5S26B0ZG3F06.exe
"C:\Documents and Settings\X14D54Q5S26B0ZG3F06.exe"
5⤵
PID:5552

C:\PerfLogs\U84G47O5G62V0DZ2D15.exe
"C:\PerfLogs\U84G47O5G62V0DZ2D15.exe"
5⤵
PID:5344

C:\H2.exe
"C:\H2.exe"
6⤵
PID:9616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
7⤵
PID:5996

C:\Program Files\C86I11L8Y60W7UV7G02.exe
"C:\Program Files\C86I11L8Y60W7UV7G02.exe"
5⤵
PID:1036

C:\Program Files (x86)\U00F16R6B68W0MN5Z48.exe
"C:\Program Files (x86)\U00F16R6B68W0MN5Z48.exe"
5⤵
PID:6252

C:\ProgramData\D18U61X7E63M6VG1D78.exe
"C:\ProgramData\D18U61X7E63M6VG1D78.exe"
5⤵
PID:1340

C:\Recovery\G31F72C1D41E5UD1M73.exe
"C:\Recovery\G31F72C1D41E5UD1M73.exe"
5⤵
PID:5276

C:\Users\P82S58E0F41Q8DP7M25.exe
"C:\Users\P82S58E0F41Q8DP7M25.exe"
5⤵
PID:7700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=system%20to%20user%20exploit%20bypass%20undetect%202027%20method%20free%20fud
5⤵
PID:12748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=club%20penguin
3⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
4⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
4⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
4⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
4⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,18350773839115560378,16067871672238270106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
4⤵
PID:11028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 448 -ip 448
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4476 -ip 4476
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2288 -ip 2288
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4572 -ip 4572
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3944 -ip 3944
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2360 -ip 2360
1⤵
PID:5660

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x51c
1⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2776 -ip 2776
1⤵
PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 896 -ip 896
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2348 -ip 2348
1⤵
PID:8352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
1⤵
PID:8844

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:11548

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
1⤵
PID:11892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:9436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
1⤵
PID:7976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
1⤵
PID:10256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
1⤵
PID:5276

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:6396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:6700

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9464

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:16760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:6916

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15508

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:3248

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:10928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
1⤵
PID:12352

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:15564

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:15812

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:16208

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa8fc046f8,0x7ffa8fc04708,0x7ffa8fc04718
1⤵
PID:14060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 900
1⤵
- Program crash
PID:14540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 13144 -ip 13144
1⤵
PID:14024

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:16768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "Admin:F"
1⤵
PID:13752

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:17020

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 14572 -ip 14572
1⤵
PID:16004

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15200

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5780

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:16456

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11548

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10004

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14556

C:\H2.exe
"C:\H2.exe"
1⤵
PID:17712

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\H2.exe
Filesize
22KB

MD5
669902e0baf0307086c9d347c66152a8

SHA1
96a5cc7d488c2273ae58a3ef22bc468d61684132

SHA256
900bac2dc0f9eb0691dbbed3dfa5ec6294cfe164dc371763efa0ff20681b1fea

SHA512
06f6538048379ce7c861671592b6d04989c4b3400b4875cc50b889404a731e3602aa64a78be654a1b151ae3e39419d21f6877b8eb6c6dfc214a653ef276d227f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H2.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b6f2d6d5d0c12549c78194121f15eb20

SHA1
d37c414763dc76682c4616516c97255e388f1113

SHA256
8066487482f1ed2da5c8c199f4fdaa5a7c40de780f72843cedf2745055c22023

SHA512
dae8ff30a7273adb6d0ee1cb008dac54ddf2099d65df241a546868ebe28859a7b62f4b1349620eda8338361b4acc197dd9aed7ee0142a50359083c25f0069afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
memory/116-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/116-1-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/1108-13-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1108-31-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads