957e27a1546f944c33967f491f184484717b6aab8bf57fcb9b121c22b49d789f

Analysis

max time kernel
426s
max time network
315s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 21:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

taas.png
Size

482KB
MD5

5cdee96ab62ae22eaced595bbe8e9eb4
SHA1

c258fd9b3d6adce3b30cdbb43f8783d12800082a
SHA256

957e27a1546f944c33967f491f184484717b6aab8bf57fcb9b121c22b49d789f
SHA512

ca9acb73f52d685656af6bf4457f686e894a3fc34029d72fad2bcbf3bbfb79bcdca0e51188f57f31802fd06f7d671f0ed3d5034f2e4d52cbee04a82b7d7a91e0
SSDEEP

12288:iDVrZ0KGNJDi5eQDoxqgVm5K/oea9aDXY3ax+KdxaAX8ZVJxbzamWQ2:u9Z0KGP3Q0YgCK/T6azxx+KjXGVDbEh

Score

10^/10

bootkit discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

gdifuncs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3292 takeown.exe
3472 icacls.exe
2360 takeown.exe
4224 icacls.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

pid	process
3292	takeown.exe
3472	icacls.exe
2360	takeown.exe
4224	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gdifuncs.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	gdifuncs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 4 IoCs

Processes:

mbr.exejeffpopup.exebobcreep.exegdifuncs.exe

pid process

3168 mbr.exe
2880 jeffpopup.exe
804 bobcreep.exe
1640 gdifuncs.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4224 icacls.exe
3292 takeown.exe
3472 icacls.exe
2360 takeown.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe

pid	process
3168	mbr.exe
2880	jeffpopup.exe
804	bobcreep.exe
1640	gdifuncs.exe

pid	process
4224	icacls.exe
3292	takeown.exe
3472	icacls.exe
2360	takeown.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 6 IoCs

Processes:

cmd.exegdifuncs.execmd.exe

description	ioc	process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	C:\windows\WinAttr.gci	gdifuncs.exe
File opened for modification	\??\c:\windows\WinAttr.gci	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3552 timeout.exe

pid	process
3552	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4960 taskkill.exe

pid	process
4960	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644304259889514"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exegdifuncs.exe

pid	process
4068	chrome.exe
4068	chrome.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe
1640	gdifuncs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4068 chrome.exe
4068 chrome.exe
4068 chrome.exe
4068 chrome.exe
4068 chrome.exe
4068 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

HorrorTrojan Ultimate Edition.exejeffpopup.exebobcreep.exe

pid process

2172 HorrorTrojan Ultimate Edition.exe
2880 jeffpopup.exe
804 bobcreep.exe

pid	process
2172	HorrorTrojan Ultimate Edition.exe
2880	jeffpopup.exe
804	bobcreep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4068 wrote to memory of 1212	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1212	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 1060	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 2708	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 2708	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe
PID 4068 wrote to memory of 3136	4068	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

gdifuncs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\taas.png
1⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff7808ab58,0x7fff7808ab68,0x7fff7808ab78
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:2
2⤵
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:1
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:1
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:1
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4744 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:1
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3972 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:1
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6132 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:1
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2616 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=1940,i,1415726823682922372,11565197952966466371,131072 /prefetch:8
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3964

C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe
"C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\74C4.tmp\74C5.tmp\74C6.vbs //Nologo
2⤵
- Checks computer location settings
PID:1512

C:\Users\Admin\AppData\Local\Temp\74C4.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\74C4.tmp\mbr.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74C4.tmp\tools.cmd" "
3⤵
- Drops file in Windows directory
PID:1552

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
4⤵
- Sets desktop wallpaper using registry
PID:3980

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4760

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4912

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3128

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1492

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:640

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3068

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1196

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3392

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1468

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2532

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4060

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4948

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4924

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2036

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1616

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4756

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:900

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4508

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4988

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4608

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:664

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1232

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2628

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:424

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4328

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4496

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:380

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1068

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3852

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2268

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3292

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4588

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3112

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1128

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\74C4.tmp\jeffpopup.exe
"C:\Users\Admin\AppData\Local\Temp\74C4.tmp\jeffpopup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Users\Admin\AppData\Local\Temp\74C4.tmp\bobcreep.exe
"C:\Users\Admin\AppData\Local\Temp\74C4.tmp\bobcreep.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:804

C:\Users\Admin\AppData\Local\Temp\74C4.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\74C4.tmp\gdifuncs.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1640

C:\windows\SysWOW64\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3292

C:\windows\SysWOW64\icacls.exe
"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
4⤵
- Drops file in Windows directory
PID:2324

C:\Windows\SysWOW64\takeown.exe
takeown /f LogonUI.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2360

C:\Windows\SysWOW64\icacls.exe
icacls LogonUI.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:3552

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "tobi0a0c.exe"
5⤵
- Kills process with taskkill
PID:4960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUDIED 66.txt
1⤵
PID:3060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x44c
1⤵
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
9b764b9cd961d394d96b670976361383

SHA1
6c640e79e266d9638b55a65c5361fab60a0545a4

SHA256
3574683cafba927372caf29ce71743e6960ab82bf5607caa82f5bd799785039a

SHA512
9ee230687f520e3193c824487d51614d0053ac26a25e11ff4850b0d69e6833e55c9ca3cc2585b8422a3f9f942278560b3921ca87b1deacb61cfb0af79494c678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
dce0481adbd3b5ee04c5de0f188718e0

SHA1
934f5d6130379c0985295acdbbfdebe7407018ad

SHA256
0cacb9b831427b2367505c969b2020b5bef36d8984d5c87ec1809749f7a79085

SHA512
ac73c3f7af29e3e429e33d2567cc5f2af29ca9c5857c1d1021db59ab23f0ea06ea184736fdcfa4e5f97d8cb3aa3dacd50a24ce4e2241125391993c98eefca6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
54424d164ef80d46e9e20aca068c0870

SHA1
3ad1b125ba0feeba21d44697623a02c6413577a7

SHA256
2149c1d279a6ca2126f3741dea9b1866f613f1386887720dc1b75cb9403280c8

SHA512
7f5169fd043e597fd04508b58af9a4f392a27c35fa82ce99ea59e089cd8b76a7f519f29d61b3cb39fff394961b2f811b9577ce4e5e140e0d387c435130d4603c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
ecf28b1ed708230b3c454ad6dac75fe5

SHA1
c9377607abe7a3640a84b2768ba5a012ee9d4783

SHA256
bcfb040a712c274012b0d3093efb537dc5f32c0047e17d968082cff2aab8404d

SHA512
d806e25652a3ab879f039232188f476dc7a994de78efd7a482100952316807323b94ce0fb8aa83e13d84e97775dc57a376bc97035dec442500ad4d3ce29eff91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ec9445323f9792183984c274d89e7a88

SHA1
c11fb1b4b9a463ee5bde0407f9adb881ec73dd0b

SHA256
46c3799767d195b49efd88bcfc6fadbcfeea426eefc9648dbfd19b649754d2b7

SHA512
60c0caaa2509e218d3262f4eb0f69cb492de4a4c56a82bf8da3b43e56ead0bf6e16d1688a6f457bb9f9671676f563a0c93b45fbd22224f8017336d0c2e0f7f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
96aabc8aace22643dd5bba0310ecde40

SHA1
2d026f1399c375a93af5d258825fb52b4b311768

SHA256
abe6abf9383109e3ae73a0d8e9d21b152587d81ced991003a5f36c87d67aeee7

SHA512
5ea00b7dac4822d8932aa739ba5a39e702d024955f4e050d2c754e0b9076a047f7bc49f0a977decc248682aaaaf2fc71177c728c3ce29fc56c0bb244063b5aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
9365ba9b25124092edb30b7765fe30e2

SHA1
66300096435702bd6ebfd4a949b383370b7e1941

SHA256
48070d7f52ae1ff4a36b08fcaea813f294a04931dc8de65a24d07bb580b9cad0

SHA512
cfbd92734be93585f20ce9ef7a7009e1b898359ddbcc3aee2768ad860ba1ce2ff7f38c696fa00d9b202b0637f800ff7efa25fba96a2d4cd7d934e5969ba9565c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e3e4bd38b704b6e5a38700f5b4537034

SHA1
54fe7bff60a7fd162cc61b654d4bb90947777036

SHA256
bb2eec7c0a3316c92322126a6ade1f5feef55d56dbd3bad32fab617a194bf029

SHA512
60c281ef6e1fbfe466a737410c1e8ae694d31ee455d680683a6f0ff646d03c1ca863a52b93d9db2af87ce693daa6287d37be81d15ec682edc4cd89794134862e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6c7fa7bd7e7746528959c5e7011422b8

SHA1
29c2ad049daf4e37a66ee6ec7c2e96715fcb732f

SHA256
22f54e9af1c8b9fc7fd6b1969f8c0d746b54f529367dacdd17836492254cd5a0

SHA512
3bef90fee8b3de4e287f2a0ff207b1c100ebc073cf903221b49707dd9cf26c2ff08e84774d693ec320a409d9212e93633d92df427b9ffc9ccf9dba6adfe8a97e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fbddb95801954c9041517808a1a954a4

SHA1
83d660f03831111cc359ee0aabed2e850b359d5d

SHA256
1b7aef267746bcd4b337e8107080e51af92705d9f810823f0bd00c91b8149670

SHA512
938c539d75d8cde8bc1d9dd416aaff74db1487ea50e581eed5eb849c8e6e002a3d25d901d1a1871c40ff0602c281da19b746fd72390a0e1098049a387ada1053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
eb37aebb89704d613f094c76841c84b0

SHA1
8839c326ec07cef2fc6a7feb22f742e118e0b627

SHA256
15791041090f214ce500ff22762d0e2766cf8fd3e69cb1a0ba719b254c35f5e8

SHA512
fc8a4edc138e88cafad069e554c6906c8b8b03e12fc898629ca6bdd7a4bb28eb145b599f58195b30e3e397f6a1cd4603243dcc9f1a8e0161878aee9e1ea5e9dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2cf98f5f61639c444d673082ec5f9a5a

SHA1
e7e2418a86222235572c4a1427482164df8217dd

SHA256
e240b7b1628de11ad0cf3683c3bb9203bbbbd9999dc56ef9ada5816707025ad4

SHA512
d3c1988a0f08153c10e4363511f58ec91f03ea1e3d83d84c3737cf6d8fd7134084267a8551ab99892cf0e232d7a3b875608e3a9746e5821e3278b86af3a66af2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
66d729608e7877a8f2ec4c19117c83c0

SHA1
4047e990163ad2b7e095b0a6f5ffa222a68ac858

SHA256
d044ed9aabeadfab432aa1eaecf0b94426e2b9e91b755f28c8e5576c3a64dfb1

SHA512
117b69a088c4bbd7855623e67cd632d95d86f96f6cc3acd4b43ef5cf082d50c00f47ad2941a73e950050c652f914e1a85a4e87f8090a41b903e2d31107afea96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f849dacc12139af837e0a27cace13f86

SHA1
09e890e81dfb2c9b5fb6ce633d1624f61ce950a0

SHA256
15f2749d995a00b0e433d02ae360b33d58428a11d76bc1aa61a598f76825d2c3

SHA512
ecb315f8dea710b38d3defed0856e3f4c88208ccb77522fb3fab378010353701de685d5151cadd8fa4762e67b0ff4b113f6e1b5b5e2bb90d8fc1942edede6822

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
01f490d6b5473d303af4b5f28f9e5383

SHA1
c11dfe21d35665b211880b5b3585457be510f8ff

SHA256
1654cc797f3a078a9aeb0cdfdf5cf35e56e9264740314e6d06cc3cab1edfb054

SHA512
713183821944fffbd25c82cacde7e7474362f9168c65a86aa3eb5303d88a38faccc292bd735e51351af115514e12485f7099ead1e3e5a5b93c5bf2c4f79e1f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
62e7cf19fa7eb2393b57283f82e6ae43

SHA1
988e53ce7242eefca664c5e36636a8a3cd9094ed

SHA256
52b08afa85492ca908a11ff7e9f04ae22cee957ec059144c86a028973580148a

SHA512
5bc14c899a4ae4ad4dcb8ec9e5f2d73f5ee5f8c471c169da9015cc03ff3781fcaeaea865383fefbf925c4f7b8f5260849a26cbee3aa113131d80a4cf4a50c1b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
f89604e66b2234b589d5d757ed4b04f9

SHA1
f39caff70eecfc34f8766cf6f8362e0f16d76af8

SHA256
d2c95eee3dc1e39264d253422f30e637603a0cf0dec5b47d6fd57004444c95ba

SHA512
e9cba5cbbf884a89b4ed3add2c9989e639265183e113afc80e9acf74941726b813a824b13bfee17556ba6573229842ccdbc9f87238f1eb9721cb385d56109242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
6c9c658d2c386370e67eca3065fc4ecb

SHA1
2697743b1e9e241b93bcb8a22c0ef0b9ed072e02

SHA256
90861456a1adfbabeaeedd8ffad1badeac09a8ef51f54a3f342c3163ef4390d0

SHA512
25a08f61ffd379eb9833bec9306209cdb42982c27a3566f14435e8709735aa1ff6bb19a74311caeaad983cab28442077cd108cf368573a3738f86bd1b2af1e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
0c2e8b0c113b7de6e6fa4d2b9ea4cd55

SHA1
f383b3696abbd0e95bd9569bee2df1e07ee8199e

SHA256
cb1eacf388163bf7a446c764d7f53d70b3e01c36c97861589fdce396f87273bf

SHA512
d8933cb4c94f47264f790c40ec4ddca1ed9984c9f65c6a55161fa8c570830873d4253378b5336142564c9a4e7782b5fb90845dae00c5e467dc678ba19d3a6925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
11676759aebd796108055390451ce4fb

SHA1
ecd25d2a8d76935c76a775e9f0b083757c7e243b

SHA256
8ac5ce02374f1ebf820fe57306e905890e0ec389fdd59dc3caf408353a7186cf

SHA512
5f40c0120ad2ee5bff7cadb4513a1c12625ad185db4683ed238eb0d44f1f114fec618f041531fa79305184e6a5e5620bf90fd60d6b87d73774361c60f8c9e1c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
93KB

MD5
ca72097710442d8df4d663eedd7dd260

SHA1
133a146e870e0ca95fa641b18e5e26d1b637baa3

SHA256
9fca295b26a892bc3b121e7c11fff0eee9c9cd796efd8bac224697b8470db6f2

SHA512
f3c3a0fbeab71de5ce0f293da3be8dee87bdd72f4aec390ba71cd6cda37648eb7578dca7f1d9a7d422ca2d10a82ccd8b2bf6304967728bf4de79f6d14d38e43f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e474.TMP
Filesize
87KB

MD5
dca1e0d7626cddd348d3dfd997b355ce

SHA1
aa3214e6e28ef6b805b5e88036cb57a7a1f53344

SHA256
1fd3e1a298cd718c28b5fde7ee05d6cda13bd1ba8a8ca91a5fbed7241bc92345

SHA512
442aed4fa031995241a15a74f9f905eecbf958f112c62ae3851805705c64d02c186874c5bae93fe6104e3124241940a2c0b6c9b3c58b3344a9f62ebea7d4d618

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\74C5.tmp\74C6.vbs
Filesize
2KB

MD5
a0679dce64fcf875f4208b823d4b85c0

SHA1
85abe3673db82bfe5b2c207dc98648e32afffea0

SHA256
85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1

SHA512
1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\bg.bmp
Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\bobcreep.exe
Filesize
92KB

MD5
219cd85d93a4ed65a481f353a3de5376

SHA1
a38ab77caf5417765d5595b2fcd859c6354bf079

SHA256
00c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f

SHA512
367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\gdifuncs.exe
Filesize
5.0MB

MD5
c47c6a5111193af2c9337634b773d2d3

SHA1
036604921b67bbad60c7823482e5e6cb268ded14

SHA256
7c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585

SHA512
56698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\jeffpopup.exe
Filesize
780KB

MD5
4151b988c9d5c550ccb6c3b49bf551d4

SHA1
10ff979be4a5bbacaf208bdbb8236b940208eed1

SHA256
5ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e

SHA512
c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\mainbgtheme.wav
Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\mbr.exe
Filesize
1.3MB

MD5
74be3afd732dc010c8266326cc32127b

SHA1
a91802c200f10c09ff9a0679c274bbe55ecb7b41

SHA256
03fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c

SHA512
68fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\74C4.tmp\tools.cmd
Filesize
2KB

MD5
288bebe9f904e6fabe4de67bd7897445

SHA1
0587ce2d936600a9eb142c6197fe12a0c3e8472f

SHA256
cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2

SHA512
7db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c

Download Submit
C:\Users\Admin\Desktop\YOUDIED 5.txt
Filesize
74B

MD5
05d30a59150a996af1258cdc6f388684

SHA1
c773b24888976c889284365dd0b584f003141f38

SHA256
c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9

SHA512
2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a

Download Submit
C:\Users\Admin\Downloads\HorrorTrojan-main (1).zip.crdownload
Filesize
209KB

MD5
3a50c5ed055416549428a045e1c74d50

SHA1
7d35cdc01f45c93cc1b1fc786ac99ad7eba4354e

SHA256
b6075dc635e56efddc7faed1f25f05e2c6d89e2ae274b221c9362279d153fb68

SHA512
97b04231bfcb01447c9763f3bb3f3cf5c93647aebdc6bd483cddfa7883001152a908d72da914900f0a8dcfd97810d5ded885a56bedd104824365e7f4f4ed8519

Download Submit
\??\pipe\crashpad_4068_AONOZTGTBBJLAICV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1640-773-0x0000000000270000-0x0000000000772000-memory.dmp

Filesize
5.0MB

Download
memory/1640-774-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/1640-775-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/1640-776-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/3168-753-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads