Resubmissions
12-04-2024 19:03
240412-xqpq8sgb7s 412-04-2024 18:55
240412-xk4m7sda76 1012-04-2024 18:50
240412-xg6ndsga71 10Analysis
-
max time kernel
264s -
max time network
203s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-04-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win11-20240412-en
General
-
Target
sample.html
-
Size
479KB
-
MD5
7623a5f4888348a1470e2c5bbe2e826a
-
SHA1
4f86a2e6585914e77eab7166d159a5e309a0a3e7
-
SHA256
8a1ca44c57db2910334734c555645f5e4cce911b0b6a51020eeadbe1f5432b4e
-
SHA512
7838893132be1b99c2878f689a4685495dfd793ccdc6d303163cb64edf9de28ec58d4c8cfdec2fae4428e58d50dcc4115a51e8e1e6539f880864e7cec283f8f6
-
SSDEEP
6144:7sTibDibtib+ibdibOibcibyibjiblibBkk:7Yi3iJiqipiaiAiGivi5iNkk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 8 IoCs
Processes:
mbr.exejeffpopup.exebobcreep.exegdifuncs.exembr.exejeffpopup.exebobcreep.exegdifuncs.exepid process 1060 mbr.exe 4676 jeffpopup.exe 4624 bobcreep.exe 2968 gdifuncs.exe 4024 mbr.exe 2772 jeffpopup.exe 672 bobcreep.exe 4336 gdifuncs.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exembr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Drops file in Windows directory 4 IoCs
Processes:
cmd.exedescription ioc process File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 6 IoCs
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2516240262-2296879883-3965305654-1000\{34FFE874-9DBE-467F-9E29-5AB4C8C58431} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\HorrorTrojan-main.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exegdifuncs.exepid process 1196 msedge.exe 1196 msedge.exe 1380 msedge.exe 1380 msedge.exe 2384 msedge.exe 2384 msedge.exe 4140 msedge.exe 4140 msedge.exe 3732 identity_helper.exe 3732 identity_helper.exe 4560 msedge.exe 4560 msedge.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe 2968 gdifuncs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
gdifuncs.exeAUDIODG.EXEgdifuncs.exedescription pid process Token: SeDebugPrivilege 2968 gdifuncs.exe Token: SeDebugPrivilege 2968 gdifuncs.exe Token: 33 4960 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4960 AUDIODG.EXE Token: SeDebugPrivilege 4336 gdifuncs.exe Token: SeDebugPrivilege 4336 gdifuncs.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
msedge.exepid process 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
msedge.exepid process 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
HorrorTrojan Ultimate Edition.exejeffpopup.exebobcreep.exeHorrorTrojan Ultimate Edition.exejeffpopup.exebobcreep.exeHorrorTrojan Ultimate Edition.exepid process 2356 HorrorTrojan Ultimate Edition.exe 4676 jeffpopup.exe 4624 bobcreep.exe 4436 HorrorTrojan Ultimate Edition.exe 2772 jeffpopup.exe 672 bobcreep.exe 4716 HorrorTrojan Ultimate Edition.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1380 wrote to memory of 4268 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4268 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 1196 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 1196 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 4368 1380 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbce463cb8,0x7ffbce463cc8,0x7ffbce463cd82⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:22⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5716 /prefetch:82⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:12⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:2812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:2656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10199894439315705382,8559399397373319094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7056 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3440
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5080
-
C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6E84.tmp\6E85.tmp\6E86.vbs //Nologo2⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\6E84.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\6E84.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E84.tmp\tools.cmd" "3⤵
- Drops file in Windows directory
PID:2168 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵
- Sets desktop wallpaper using registry
PID:3040
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4620
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5072
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1412
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5108
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1696
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1664
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4724
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1952
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2560
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3536
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2876
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3004
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2384
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3044
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1744
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4780
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1208
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3488
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3248
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4360
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5056
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1372
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5024
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2220
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3508
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1188
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3000
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1112
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2032
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2224
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5116
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4500
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4828
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2720
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5004
-
-
-
C:\Users\Admin\AppData\Local\Temp\6E84.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\6E84.tmp\jeffpopup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\6E84.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\6E84.tmp\bobcreep.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4624
-
-
C:\Users\Admin\AppData\Local\Temp\6E84.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\6E84.tmp\gdifuncs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2968
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:4436 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\5AF8.tmp\5AF9.vbs //Nologo2⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\tools.cmd" "3⤵PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\jeffpopup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\bobcreep.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:672
-
-
C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\5AF7.tmp\gdifuncs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4336
-
-
-
C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:4716 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\60C.tmp\60D.tmp\60E.vbs //Nologo2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\60C.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\60C.tmp\mbr.exe"3⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60C.tmp\tools.cmd" "3⤵PID:4104
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵PID:2432
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:232
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1460
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1344
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1252
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3620
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:440
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1072
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2864
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2340
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2752
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2148
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3748
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2900
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1992
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4524
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3592
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4832
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4768
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:900
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1672
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2116
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2440
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4912
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4908
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3512
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3548
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1500
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4496
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3484
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2536
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1892
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4684
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3200
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2192
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\60C.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\60C.tmp\jeffpopup.exe"3⤵PID:816
-
-
C:\Users\Admin\AppData\Local\Temp\60C.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\60C.tmp\bobcreep.exe"3⤵PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\60C.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\60C.tmp\gdifuncs.exe"3⤵PID:3100
-
-
-
C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"1⤵PID:1592
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\60DE.tmp\60DF.tmp\60E0.vbs //Nologo2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\60DE.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\60DE.tmp\mbr.exe"3⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60DE.tmp\tools.cmd" "3⤵PID:2112
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵PID:4612
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2148
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1860
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1992
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2792
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4832
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4024
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4568
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:876
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3728
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5008
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4092
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4908
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1804
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3088
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4732
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2580
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3484
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:536
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2064
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3032
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1624
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3120
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1188
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4236
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2944
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4824
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3288
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2992
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4596
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4508
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2220
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4620
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4560
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4368
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1472
-
-
-
C:\Users\Admin\AppData\Local\Temp\60DE.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\60DE.tmp\jeffpopup.exe"3⤵PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\60DE.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\60DE.tmp\bobcreep.exe"3⤵PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\60DE.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\60DE.tmp\gdifuncs.exe"3⤵PID:1812
-
-
-
C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"1⤵PID:4276
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A588.tmp\A589.tmp\A58A.vbs //Nologo2⤵PID:2692
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3564
-
C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan-main\HorrorTrojan-main\HorrorTrojan Ultimate Edition.exe"1⤵PID:3028
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E8FA.tmp\E8FB.tmp\E8FC.vbs //Nologo2⤵PID:3972
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:2952
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57554e30cbebbfe1aba35488a485a9166
SHA11312cb8e5027ef37ca2e3e9a8689e3bc23f44f80
SHA2560180b897f28fb36a3f005962f6e83fc855fe91a65dfd291124d4d8f8badd1d6f
SHA512350bde3084974b5b17c7b5b05dd1365687cec55ef21e73f1c12754a93a6a4addaee4dd93ab849a2374325c1a60c73eac9ab5adb90d72c03195f5946a03a47540
-
Filesize
152B
MD5b7fc16380cbf29a5dec23030995e553e
SHA162e7fe0fcf81ab250469ee6c5a89393856dcc3c1
SHA2566f7e137ea862e054ace2561adfc7c65312b0fbe5b13f51dcec8a303049403b9a
SHA512f18c70f701d070846bf1e7ad995fb5a959144122ce1fa9f1719952309c6195f39b3c699cf9d59e3c26f7b41a3b697f275bb89c03ac325beacc5fce60a4b45ac4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD590158ae0071424fb772b91955263997c
SHA13f256b653475566de255f6362274724de1002f6e
SHA256d4e5447b72aed523e1be98022e6854663a5f246fe3fef5a97711160dee29c049
SHA512c9d7770119baf39ce49a954ec76e5287f08425abc139ec6bcd285b40e66ca108bd680dcebd65e7a5c79109a6338aaf8a0d202fc03be321065c021a71a8ce68cf
-
Filesize
1KB
MD571918e1d886fff0483e2a7b61c12ebce
SHA13efe296762d4af9a4158ad64fb9e88eaf135a1bb
SHA2564c75c419033d1f6b9886f411b03aed5f0d53c761287e46d3852c65a14d3d8b01
SHA512748c6a8293e2700953dd13a3edade957167e97ce4268ac066e0134e859df71acd6130540815ab3e56d08af6f6ddfaec34fc22348e535171c1eddf69f575976ca
-
Filesize
1KB
MD52d53a76038c3870eb100802cb5d6c624
SHA1c34b33da3fadba6f196a94d9edaa05b51dd86faa
SHA2569726b9a73bac6c00d08c30ab781ee139d1d23912c489fa76f830945f464531e7
SHA512f76d395b3d80ba9fddc27499772027a937ff10913027521aed10a72d70dc5c764e910384eee83d9226886e819be9e97077dcd24a7774bcc5280a37952232b3a1
-
Filesize
5KB
MD5af309eeb1cff8072b7bbfaa081d44df5
SHA13493759120d9b50cdba28d7acacc224ae0795efb
SHA256e4b90ec0b0beed61d5f3b5a3c3091c3587c7e2f9bef6014543ce7ef4de82f9f9
SHA512571e84e491c44ea6ff65ea8f1531dab4c285649ccd772f72ded29ef13e4cab2573513bc59eb702a102824f4bbd6c188126ee990c391d7aaae94c2e6afe921535
-
Filesize
6KB
MD5d589503dcd0ad11d091a34298b0dec00
SHA188b8b4d158cc4e8502d9ea1ec7fb10727a42786f
SHA2564d79b0305f45d6ab549b7578ce9ed56fa340b66f1136c788636069e08eadba2b
SHA5129f8e85c2d69eaa70e29d0655374daba298c37ad05e0de6e65a93c8aff9cf28315d07f39afaaca5ef2234070e6e0ad9c748b8d9c828bb35567c6509ae640afaa4
-
Filesize
6KB
MD5831e0af82a3128a1e5c664aacbfc6ad9
SHA1d436860d53b9e064de1b1c6d46e7bf4d0e3d8eb9
SHA256dd40093b5a9fc0263b3b232ecbbdcfcf844f2c99f17a86d5dfa46427900790cd
SHA512c8e3e67bb1b30237fb9440259c74bcf8366e1858dafa23382ed23f3139e163f47859007d879933904d591e1a5761204adf2e3a94d22a88f11c403370c91d7a73
-
Filesize
7KB
MD503b76886be39167f168948d2eae04fc3
SHA100587498bebc442e3195b833c1abe737e14eefb1
SHA256c578d905e23190f2365fb038cb7160d3c6ebba35cb77602c125f1ea3f07fc32c
SHA51205c32adcd18cf5e74c5e2118e63445868a48661565aa36e9d004f218684f03f4fb5e6d65ad181ff640f35ad283427254e091d6414f5a12668bc08deb607821e4
-
Filesize
5KB
MD5c21f52dedac423ce8629f7c5593e8bb4
SHA1541240edb8591be17d2aaf9a187d539386f0ae9d
SHA256a9ffd83e63bd68808208e04e5bbbced32c9882b9c19b205313dcf0f407692afa
SHA5121721bf12b3431d24ca4913f3b06ba68bdfce1851c0a2577799a74518d6e10c7616b20a660ef14ed3d84a5cb322a65c194f87d1d2aa837a0a7c67a7192b2e8f63
-
Filesize
1KB
MD5284c28a0395df45e6ec6e2b22063f542
SHA13cf2841e5571b904b20335c9675da9210d3a977b
SHA2561ab6dcba67c3c53035c2e6831c9eed05be4a94facb30a14d676d3a8b61a1be6c
SHA5120b881d827470c555de52df30dc9ec7713f20a4b1c8be88103556f98af9b968027cd5191d83873c950c2fcfb1d9f641d5f693473a339ee13867e7b7f46eef2192
-
Filesize
1KB
MD598955f6ba99fe71ff6cf3b8555654cac
SHA186145fe2e3cc34a0c17920278a14e219fea15705
SHA25676fdba462d6c7cf9a779649a75552b670bf34ca7db64e19798ae9179e9ab23ae
SHA512b6683233039057ea705fdb3780fa9e73056a60caf17d605cb512b179864603a4080e482d64f96657aa2620a45f8d1c41f952e2217c51480fe901164a8879a80c
-
Filesize
873B
MD5534de01870a714e8d1f50c5f2bdc4441
SHA1576acfe25e764a69698635ee7f22cefb59c92c0f
SHA25606a36058c1539ecd9cc5f9ada5aee2b4e7dfe1d6c0fef4b3dbf2ca73798f355a
SHA51204a7cc49b63c13bba493b9ab36cc68432d33ce645d708551d530ec38ef89028b4f7fedf57874b70982c1bf035493fc7437a9542f933e5d472cf74cebe6a2b601
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5a076852cdcb199a2c0de0f678571a815
SHA13a9973ffad3c8abaa76c82b46a7ca13c8e951d76
SHA256ce95b156e67e066ee546936d6f84a2e6b5f9c22aa28cea268a25715c676e4e99
SHA512d081d75421c45bf9fe2aaf9a5b912a9157e269a8b6b3c9c3c312af0a7c3b78f2c9f6dc61cc554ed30eeaeb662c8b6216aba7958a7974f9081ae987d16a09d63c
-
Filesize
11KB
MD554a9585f9631a2044503c3b49430f070
SHA1f49a0bcde46748ee76b79df5d87e5d02847ec3b2
SHA2560d88afc95b6863f8bc5f1d4f08883db35ff1572d1e14cdfa9e9269a6e0ef302f
SHA51201f74033c412024876195e7ed3a40c154fd66fdd23bac1549d2539fbe8d321d55951baf0be527e0a06acc1a8178ff6408f54e72aa58840afa1cf620c320a3d95
-
Filesize
12KB
MD5b423f404eeb5eb6740b38c25c224c83e
SHA1297d84a4ab33ffbce268efa4673021212b8352e3
SHA256e3099c5a49b9114b1d34a4fbf36f6bd19f34f6376241abed090050be03a76785
SHA5123e61372457fc18ce1e2039b523be79e886403ab4cdf89946458b4325fd7f110fb2bde50989f90fbbd8fb68a741c1d373798e8f20046c97246497d4f55ab85e35
-
Filesize
12KB
MD590fa1e05ecf72ce5c1e5410d4520b698
SHA1da6c2fd3f5528c95c60c6a6c367f0af7b98e1d35
SHA256006ec66f9b4eb19ddd4832bf9bf6e20bfe56283bb19a6ca1c3e26bb89061f73e
SHA51292b15c0d2a4d9ae46169d999429095217e1042a2f8bcf0e3b93ac9810c39887bb5d3a70cbf3ba512f7f88293c95a7b9c6d2b64afc69bb3140252ab15a33ef311
-
Filesize
382B
MD5c448773e7be4c2d476d24312c3f9d798
SHA109215de95774c0fe573c9ad8c1bac38d13920a28
SHA256ad46d48d2f55a77aeb0b68a69e8058d8daee166f267cab488caf3e8cbba19d1e
SHA512f879a07a1ad889b8e7df4dd3a25552f030e496ade3942062356b2c20ad03f288ccb27103aff092166f446487842a6ff05cb4f54544ff78d66c67a5e41a258b7f
-
Filesize
2KB
MD5a0679dce64fcf875f4208b823d4b85c0
SHA185abe3673db82bfe5b2c207dc98648e32afffea0
SHA25685a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA5121e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6
-
Filesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
Filesize
92KB
MD5219cd85d93a4ed65a481f353a3de5376
SHA1a38ab77caf5417765d5595b2fcd859c6354bf079
SHA25600c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f
SHA512367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9
-
Filesize
5.0MB
MD5c47c6a5111193af2c9337634b773d2d3
SHA1036604921b67bbad60c7823482e5e6cb268ded14
SHA2567c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585
SHA51256698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262
-
Filesize
780KB
MD54151b988c9d5c550ccb6c3b49bf551d4
SHA110ff979be4a5bbacaf208bdbb8236b940208eed1
SHA2565ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e
SHA512c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d
-
Filesize
19.0MB
MD51b185a156cfc1ddeff939bf62672516b
SHA1fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA51241b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7
-
Filesize
1.3MB
MD574be3afd732dc010c8266326cc32127b
SHA1a91802c200f10c09ff9a0679c274bbe55ecb7b41
SHA25603fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c
SHA51268fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5
-
Filesize
2KB
MD5288bebe9f904e6fabe4de67bd7897445
SHA10587ce2d936600a9eb142c6197fe12a0c3e8472f
SHA256cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2
SHA5127db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c
-
Filesize
74B
MD505d30a59150a996af1258cdc6f388684
SHA1c773b24888976c889284365dd0b584f003141f38
SHA256c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA5122144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a
-
Filesize
46.3MB
MD5f40cfd8ad6e12a92990085f58c59fc04
SHA183e5a09614bc65baab01ac5db204b47db30ba7f3
SHA256716f5bc38980dbdad25ff050050e0c6e1491c57b841e959c068e9f8907e79d89
SHA512b5bfcb4b399b076bd57c16ab7caf56e6e7c9663d4613b755ae6935a38b51641eeb981c873e898c10b46809099ced455ae322418274fffdeb6d8c56d7df5eb874
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e