hxxp://google[.]com

Resubmissions

25-02-2024 02:03

240225-cg45caaa33 10

25-02-2024 01:59

240225-cesnjahh97 8

25-02-2024 01:31

240225-bxq2zshg26 10

25-02-2024 00:49

240225-a6gdgaab3x 7

Analysis

max time kernel
104s
max time network
132s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25-02-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

8^/10

bootkit persistence ransomware

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

HorrorTrojan Ultimate Edition.exembr.exejeffpopup.exebobcreep.exegdifuncs.exe

pid process

3260 HorrorTrojan Ultimate Edition.exe
4176 mbr.exe
1528 jeffpopup.exe
5084 bobcreep.exe
1340 gdifuncs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
58 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe

pid	process
3260	HorrorTrojan Ultimate Edition.exe
4176	mbr.exe
1528	jeffpopup.exe
5084	bobcreep.exe
1340	gdifuncs.exe

flow	ioc
2	raw.githubusercontent.com
58	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1576 1340 WerFault.exe gdifuncs.exe

pid	pid_target	process	target process
1576	1340	WerFault.exe	gdifuncs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3852399462-405385529-394778097-1000\{392900C1-679E-4940-B132-752AD9BDEFB5}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 89308.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exegdifuncs.exe

pid	process
1060	msedge.exe
1060	msedge.exe
2044	msedge.exe
2044	msedge.exe
4432	identity_helper.exe
4432	identity_helper.exe
4832	msedge.exe
4832	msedge.exe
4488	msedge.exe
4488	msedge.exe
652	msedge.exe
652	msedge.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe
1340	gdifuncs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

gdifuncs.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1340	gdifuncs.exe
Token: SeDebugPrivilege	1340	gdifuncs.exe
Token: 33	5068	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5068	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

HorrorTrojan Ultimate Edition.exejeffpopup.exebobcreep.exe

pid process

3260 HorrorTrojan Ultimate Edition.exe
1528 jeffpopup.exe
5084 bobcreep.exe

pid	process
3260	HorrorTrojan Ultimate Edition.exe
1528	jeffpopup.exe
5084	bobcreep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2044 wrote to memory of 4856	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 4856	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 408	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 1060	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 1060	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe
PID 2044 wrote to memory of 564	2044	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1e043cb8,0x7ffe1e043cc8,0x7ffe1e043cd8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6952 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1788,15537242083145818396,80143135732040612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe
  "C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3260
- - C:\Windows\system32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\F8C4.tmp\F8C5.vbs //Nologo
    3⤵
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\mbr.exe
      "C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\mbr.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      PID:4176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\tools.cmd" "
      4⤵
      Drops file in Windows directory
      PID:4272
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3604
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3824
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3640
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4688
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1080
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2836
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2140
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1592
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:652
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:124
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4884
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1576
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4600
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3140
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1296
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4336
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1992
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:816
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4028
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2160
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1524
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3008
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4876
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1796
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1964
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1988
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5112
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:228
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1604
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4008
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1768
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3152
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4104
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1428
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2736
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\jeffpopup.exe
      "C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\jeffpopup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\bobcreep.exe
      "C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\bobcreep.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\gdifuncs.exe
      "C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\gdifuncs.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1752
        5⤵
        Program crash
        
        PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1340 -ip 1340
1⤵
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
341f6b71eb8fcb1e52a749a673b2819c

SHA1
6c81b6acb3ce5f64180cb58a6aae927b882f4109

SHA256
57934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29

SHA512
57ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88e9aaca62aa2aed293699f139d7e7e1

SHA1
09d9ccfbdff9680366291d5d1bc311b0b56a05e9

SHA256
27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

SHA512
d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
e08332d25aad82c8dbc65484091dd033

SHA1
35d05350691d77611685b3b6ec8dac13ca0f77b3

SHA256
1107a30026876665fb1832390e4c0abf65d7e15b52a7232019970ac42f79811f

SHA512
94399844cef8e881b68e2eb71db0e2e3233df64cb0e19b2fc7b5b81cec57c91c3543df7d4663aba86fecd679f3c023b9bbb618cc6bbc98fbdaa00c0701f4c334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
734d96481d090b650e0386ead892dff6

SHA1
f14b9e1539adda41da34e4d59e8792545076f9d4

SHA256
db6c8ca234ac90b6f181b340ab8081e1e7010fed4fc8230bf200b26a26742a25

SHA512
931394bab635e9151a027e31d1decbfd309be3bdea77b6f6f7b33193ffc3aa489f96935ce2d84a54002fb32b116331751232bea6eee778f94c1136c7a892464f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4efbc25cb7b3b27a7409eacc305837f6

SHA1
ba42d2ecfe7565bc2120cbc76d75a5951b0aa18a

SHA256
cc49be615c800df099f4981a425d43756809c05976915f6f18e9242c8c93487f

SHA512
83bad899d14b8f568404548d4a4c64880b0ed83ee5ebdbca9d783b4202293c40cf7e06ceaacfa06a20f2d5eca171aadcb973a4b880777b9448ed1f4143580e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
294db3c322ab7002ef7e373d44fa935a

SHA1
f662f781ecd8a3d1be0dd6253ef56229ea4eacb3

SHA256
f4db568fe3afd6e26305c261152d744e55c37c34a278ef92e9387e2686bd93f8

SHA512
3f21f2805d97f9b100b0d61e66d9a79d106593fd0b04c410fa12a3397844dd9acd62ddaf37f1bbe7d020fd6816336cb4c8612258e5dcdc04710c4b9ba1194227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
30404e32c5b0f8e470bce75d219b9103

SHA1
2f5fc8967e39fab9bfbb91da5aa645fdd816bbda

SHA256
97ec83940b4b7446536234380cec1b3e74af38be8663570e6b7ee0c73633f03f

SHA512
63af0eea4677038f2450e3287016d9679b12bc560da51d60a72fd81891b70c36c3a005c95d60b619e491d1e82ec8e4d0981aaac5ecfc23f9756be552d519c12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f19a86a3fb063830a414e4bef44e70d1

SHA1
236cc60f2b660a3a072753020345f67123d1244c

SHA256
2cb86183e2f9a8a95e7f4923d8040d6671ac0c6f96085064efde94167ace63e5

SHA512
280af80ded1f33caf994fa7459f43a592361772446b07f788173f5865f3dde114f50ca5b2faa0062506ef337c01b240481d32f2907d89b0cf77d518cdb510a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a09bb54a99041af74ec2c9c147d2af16

SHA1
8a4b88d93e6f26928e0e22f933505e96e7bafb95

SHA256
8bab4f1e79e0a866a836f8b4d849a396fecf8a32e3a18b17effb166351fb547d

SHA512
eb2acbf2a3f32437bfd25318a7eaff3c594f50c673495d1db46b870c7226d0f4fe149367694377143d2ba560de73e6513689857f7b5722731bb15842f8b6e876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7767048365fc7dc9fe91174064e66c5

SHA1
dc801a5c2ee1b84201e95dcc63ce6cac878c923f

SHA256
5630a783ba3c8ffc2067ef4650dac5061c23e4020a73432aa24d5f8073b7484c

SHA512
28e36b2f937fc51cd4eaf4ee7f961caec5e6441f1848108172435dc7ba945e7dd00ef9492d0d6785a88799cacf28741fac93a1022d82f19e12508cff9b25205a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bccd3a22ead4ef4c4a2b7d1893d90820

SHA1
d15f4f757705d2b63db175bdd086c54fecea122c

SHA256
aaa137947cae1effbc426ce8f00c26a23e900bf5b76622abf5ba9643b7a384bb

SHA512
e5465e04c40a69cd6fe48db19bf7a0f9727049d5f06d8095ec29a42ea61eebdaaef767c8a180141e7592a5a96d70a508cdd63c877e1aa2ad96401c93f5532d99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c62b1153e8e50d34778fff01a76d2de

SHA1
08bd0b18f373f357749a9d22f358c08ce904a151

SHA256
60ad677152b3e02bd2c5359bbdb3a8539e27fde2a5e73d481a1c70d187192c06

SHA512
e14a9299e185f7d0a8e696b17b75f7504233690e2beb703b44f38f5e3f1cd063610a1244fa8cffb3a663f3a54805c14eaaa6f923aa0c414d47a25f226fda40b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c5fb.TMP

Filesize
1KB

MD5
fc4360d0610f7722ef41a3e5d9ba8207

SHA1
4ba72c51be68182bd247e83b6dcba41d1daa8d6f

SHA256
18d41fabce1eac8accbcc2468ed4b63a7010c895c6578774e49fc95df95c1af8

SHA512
9258d55ac91b14c0ef057360b1cee6b2fb920867046bf30b506a8e845230453c636bb9b9ab6cb7eb9f6d4ad017ca91ceece86c0b83add6d184bd99060032ccb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73662513920b8a72b9a6e0de29eb507a

SHA1
03997696dbb4aabe462703eec03c2fee433592d1

SHA256
49b19b93f743ebde97d5be77c9d59ea21e7d77e5f80928977e759e6455ae57a6

SHA512
a3f736e5a4b7b2e7878848028ef80b6cf2acc03c24e8f45dfdf602801ffa44315e375b9f5a87bcc08e86c6fe41da19f42ce29914e62d13816981ab2e6f835d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9490e855e76d54a74d2f76a8c902628b

SHA1
f6d8af65c9eef5ce082eb536654374a8da5934bf

SHA256
d3ce9912c615e75c69e163d4a36f04e131dc306be400799996edac736b016581

SHA512
ac51833866c645133edf1f21a5ba7b392bfca52670007d6523cfa112a1958cbed2054deca9ce0787c53157387dc10a504707bb9d713d667c96a09eb616bd2484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c63944fbe1a0d873b288a7837422731d

SHA1
ed132afbb7f4b849ca36b8019434bde25560bc49

SHA256
ca9166b6afbc297d54147869d8f15f34e6f82c5135151bd639ed8f413d3598cb

SHA512
65aa240917db8042a4f8ad75fba60024795ec888de64cd86483c03a1de374a90c6a5a7700711ddb20c0d3b50f1b7173a7287e82ff70a3697e00f2880a3e5492f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\F8C4.tmp\F8C5.vbs

Filesize
2KB

MD5
a0679dce64fcf875f4208b823d4b85c0

SHA1
85abe3673db82bfe5b2c207dc98648e32afffea0

SHA256
85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1

SHA512
1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\bg.bmp

Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\bobcreep.exe

Filesize
92KB

MD5
219cd85d93a4ed65a481f353a3de5376

SHA1
a38ab77caf5417765d5595b2fcd859c6354bf079

SHA256
00c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f

SHA512
367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\gdifuncs.exe

Filesize
5.0MB

MD5
c47c6a5111193af2c9337634b773d2d3

SHA1
036604921b67bbad60c7823482e5e6cb268ded14

SHA256
7c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585

SHA512
56698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\jeffpopup.exe

Filesize
780KB

MD5
4151b988c9d5c550ccb6c3b49bf551d4

SHA1
10ff979be4a5bbacaf208bdbb8236b940208eed1

SHA256
5ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e

SHA512
c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\mainbgtheme.wav

Filesize
13.6MB

MD5
1affa894b52eb1235dcbbb9995999c2d

SHA1
fe7d3b6cd378dc477b13b9a56e283c82f8fb10ef

SHA256
6902102f7f67aacdf41c493fb5ff695faf99f65d251fd93769091896e530a269

SHA512
5bd653ec154905c0f6dd60e2ad362666549e64fa38d888e0d0088ee9fe86150e7799371b7f2748eb2ecc15d1b273f9744e964fefd97f7a3c8c18cdddbc2f82f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\mbr.exe

Filesize
1.3MB

MD5
74be3afd732dc010c8266326cc32127b

SHA1
a91802c200f10c09ff9a0679c274bbe55ecb7b41

SHA256
03fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c

SHA512
68fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.tmp\tools.cmd

Filesize
2KB

MD5
288bebe9f904e6fabe4de67bd7897445

SHA1
0587ce2d936600a9eb142c6197fe12a0c3e8472f

SHA256
cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2

SHA512
7db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c

Download Submit
C:\Users\Admin\Desktop\YOUDIED 5.txt

Filesize
74B

MD5
05d30a59150a996af1258cdc6f388684

SHA1
c773b24888976c889284365dd0b584f003141f38

SHA256
c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9

SHA512
2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a

Download Submit
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe

Filesize
5.8MB

MD5
9a553b22b77c68e3429c2b071bbeeddf

SHA1
22477f1ebf394e77dd4b42b0d64bd24bcc84e7e4

SHA256
6900ca0d005748d1e332dda5b660068bb298125e615dca6de42aec593161e249

SHA512
248ced06c878192306e4e992da90a66873b40596f165552c84be37976f5ba104ec2a4d7a11ffc195ceef601895e5eaec162233369f0417b3ef4139d7f9e5ce96

Download Submit
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe

Filesize
12.6MB

MD5
9b534db5e9388c20f65a1cc87fb3cf4b

SHA1
93f78bd6db0a8d47580a09f7ae50cf654f5ee151

SHA256
c13a9fb521b02fc1d385d7a973875144f3a6aef1fd1306e2ac3dbb78c84b3385

SHA512
3c3912e896dd9253f44d80fb7d022782956b7e7b15269b5201c5fd7c548fcf08547de5a8bbd973a842a83a92453219a41bf5fc5def4a9e85262ee48fa2e3ab07

Download Submit
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 89308.crdownload

Filesize
15.0MB

MD5
8f5a2b3154aba26acf5440fd3034326c

SHA1
b4d508ee783dc1f1a2cf9147cc1e5729470e773b

SHA256
fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac

SHA512
01c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2

Download Submit
C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

Filesize
7.7MB

MD5
6c84444ca54e3276c06468e6e0a71185

SHA1
429f63722ee9192116e12dc5bf81c4124874a7a1

SHA256
ff2300b8c5b4950e3be4559f3e9239b4e828e614145b93af7e05ee3bac0b970e

SHA512
1fc3700ab6d662cc42037dd291d4d24ad46870ef2813613ade251db46c67f4df28248f68b3347f3aa43255d033de12af7ab333e8b08e97741ae245e0ad0c607e

Download Submit
\??\pipe\LOCAL\crashpad_2044_VPPUNQLIWVHLTHLW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1340-748-0x000000000B690000-0x000000000B790000-memory.dmp

Filesize
1024KB

Download
memory/1340-751-0x000000000B690000-0x000000000B790000-memory.dmp

Filesize
1024KB

Download
memory/1340-739-0x00000000057D0000-0x0000000005D76000-memory.dmp

Filesize
5.6MB

Download
memory/1340-740-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/1340-741-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-742-0x0000000005ED0000-0x0000000005EDA000-memory.dmp

Filesize
40KB

Download
memory/1340-737-0x0000000000380000-0x0000000000882000-memory.dmp

Filesize
5.0MB

Download
memory/1340-743-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-745-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-746-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-747-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-764-0x000000000B690000-0x000000000B790000-memory.dmp

Filesize
1024KB

Download
memory/1340-750-0x000000000B690000-0x000000000B790000-memory.dmp

Filesize
1024KB

Download
memory/1340-738-0x0000000072990000-0x0000000073141000-memory.dmp

Filesize
7.7MB

Download
memory/1340-752-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-749-0x0000000072990000-0x0000000073141000-memory.dmp

Filesize
7.7MB

Download
memory/1340-753-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-754-0x000000000B690000-0x000000000B790000-memory.dmp

Filesize
1024KB

Download
memory/1340-755-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-756-0x000000000B690000-0x000000000B790000-memory.dmp

Filesize
1024KB

Download
memory/1340-758-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-757-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-759-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-760-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-761-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-762-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1340-763-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4176-690-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download