4b4d5673b94b4265836247a57b146413100698ed5c79a9f93409abec7c5d9c68

Resubmissions

25-04-2024 18:13

240425-wt9p5sdc51 10

25-04-2024 18:08

240425-wqze1add38 10

25-04-2024 18:05

240425-wpcjvadc2t 8

Analysis

max time kernel
461s
max time network
458s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-04-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

39a49a0f8ac6c6c2532c8e0fb619314f
SHA1

f58325cf2a9a92031697915b0759630699872fd5
SHA256

4b4d5673b94b4265836247a57b146413100698ed5c79a9f93409abec7c5d9c68
SHA512

2069d523e9777c62d5f463364f9d851969e714801b146434a0e2dbe95060715ffce7fd301632bbe93fd8eb1e9ed5aae74813f4c7cd1694238ba9e382e7411f93
SSDEEP

384:rLyv/u9KDpmReVoOs4Mi9ylKeGMxU8HhhbJnQ7xZS2LjFrSX+NVJCBXQL:rLytBVoOs4MmyI1M1BhbFuPFrSsJQQL

Score

10^/10

agilenet bootkit evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exeWinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

MrsMajor3.0.exeeulascr.exeWinXP.Horror.Destructive (Created By WobbyChip).exe

pid process

3372 MrsMajor3.0.exe
4784 eulascr.exe
2964 WinXP.Horror.Destructive (Created By WobbyChip).exe
Loads dropped DLL 1 IoCs

Processes:

eulascr.exe

pid process

4784 eulascr.exe

pid	process
3372	MrsMajor3.0.exe
4784	eulascr.exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe

pid	process
4784	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\62D7.tmp\eulascr.exe	agile_net
behavioral1/memory/4784-389-0x0000000000F90000-0x0000000000FBA000-memory.dmp	agile_net

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

52 raw.githubusercontent.com
55 raw.githubusercontent.com
56 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description ioc process

File opened for modification \??\PhysicalDrive0 WinXP.Horror.Destructive (Created By WobbyChip).exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
52	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WinXP.Horror.Destructive (Created By WobbyChip).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Mouse	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585424726479163"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeeulascr.exeWinXP.Horror.Destructive (Created By WobbyChip).exe

pid	process
412	chrome.exe
412	chrome.exe
4796	chrome.exe
4796	chrome.exe
4784	eulascr.exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

412 chrome.exe
412 chrome.exe
412 chrome.exe
412 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe

pid	process
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MrsMajor3.0.exeWinXP.Horror.Destructive (Created By WobbyChip).exe

pid process

3372 MrsMajor3.0.exe
2964 WinXP.Horror.Destructive (Created By WobbyChip).exe

pid	process
3372	MrsMajor3.0.exe
2964	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 412 wrote to memory of 4748	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4748	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4312	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4488	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 4488	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe
PID 412 wrote to memory of 2804	412	chrome.exe	chrome.exe

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

Processes:

WinXP.Horror.Destructive (Created By WobbyChip).exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WinXP.Horror.Destructive (Created By WobbyChip).exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc364f9758,0x7ffc364f9768,0x7ffc364f9778
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:2
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:1
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:1
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4484 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:1
2⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3128 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:1
2⤵
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3248 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3992 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3724 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:2612

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\62D7.tmp\62D8.tmp\62D9.vbs //Nologo
3⤵
- UAC bypass
- System policy modification
PID:3496

C:\Users\Admin\AppData\Local\Temp\62D7.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\62D7.tmp\eulascr.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5456 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4048 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 --field-trial-handle=1704,i,15748758579884019774,8931052326409301622,131072 /prefetch:8
2⤵
PID:1700

C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe
"C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec
1⤵
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
131019ad1d9f209a4bce802ef0687b48

SHA1
1dd07c6504f6921340f2682094b278056ef82761

SHA256
a839d97f26d10b1d1dd4ae9f6aef46146d82855447feb47d837022ede970b2d8

SHA512
4a4dc2eaca64c5e868d1158cc160acf558098ce9d5941c82f2349b460bdc0e80c233bcda49085ac2f75f1dec2bb4c3831224f3bf9e978a3d98d366c1acbbc8a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
1254a71831d01517216a2995908c7951

SHA1
246fe243416c98db91238fceb829ff95bd225028

SHA256
97e7b8f38fa096378b0b0f9bc3c0097b472f99c1efb2f4ff37acb5837a70c14f

SHA512
2e44dcb03ebb199c5e212560685e74faae6bf68f5e9cedfe8d9cde69a9e9c357a110a9de3cfad9eb77e89a0fcaf0c6f901be10cdf351b31c344cfa25afe612be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
41e2c73796dbce9a8d0729a0a2eaaa2b

SHA1
0788efc3a7cb35061389d6876431b86ee84b0059

SHA256
1d1d21139f089750dc34d2e6577aed87a8421bf99a8e28cd080b891d2a8ea08c

SHA512
2ba19c1080a982d7141d277ab77f6771b6504a46a55b5be2ea06da286a1bce14187ebc7a9c3629cd6e488b3bb4466dbb94bc3ccacff41c45422bb09b56dec6a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
322dddb41b4051dfc7da90e793cb9929

SHA1
70c718e860c4395d1877d857d432f71ebb02ec27

SHA256
3f6657a58a2a86f47738e24df8052769f2df0fddd8186e65bbd3ad2060b35775

SHA512
ff687c902a8317ca3a37cdbe99fa2601b134baac2f9b5c35b05d258a3a3dfbfaff43b7cf7cd17fe82805986573d928347b3bf5cb4a9560f92a746a3ab9588cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
227c47b8c75c13ba28d1fa42e4e6aaa2

SHA1
441b18c8a264b56c54816a29dbf2a37c2b567ee2

SHA256
637262618e2d42a9688bd2ff7b5cbc81f4193a272ed825bde692ef6123b73ccb

SHA512
15c7ce6d426cc16db3383642ebbe9d9a62ddf05e6b0065b4c21941e2c80096c4646e777d82b45feac1ad3308573497b1689877c84700b9bc8e62bee8f05841ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a962a8c538b06b8aa83d5fed210b8c70

SHA1
75d2a295249a473fba0e89fcf976d55b1cd7832d

SHA256
6cc623465ebe3f120885de369cbcc1f9ba590aba0da78e81bed783d015b61eb4

SHA512
ff090fe156b80a1360d90f9f0425dd83069ca3a2ce06617b8916825028845c225da3a5afb72d21d17391fcdfc49dfa297bf12e80c0fa1ccaac95949ee6362b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
613d93b9f5f51f194726518c43c6105f

SHA1
c012a86e6eabd17998a031248e5c4622bad03a73

SHA256
2ce74dea202b7f37f7b221376b74e88d19b0bf2101b991969dfd770ffcb6093d

SHA512
68b61b20b8c9a19a660733ab63039b88c05915ab13cda206be47c5cad23fc6bc253a54ee28d20127b222755ee245ea3ad9ec810693897fb88b32d7fd83812480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
77af6af06442f52bd2304bc358fc170b

SHA1
dcd8c87219465eb9aa1f9b2b3ca17fa5bedff00d

SHA256
e0eb032a031ee4632149629e5d2dea676af5b9adcb5fb622b628ef9f5382eefa

SHA512
74adc88256b6724178c17346abd10b66198d49172650802ed72b51955e58329638ecdba074910b5220f3cdc381c3438b751a65f1066af6a1cd963aad1083c5d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f10737be9d9d49938828b3fb7333e79f

SHA1
cfeec6eac1d925760863d309d80fdeb6a55f834f

SHA256
ab8763832b8cb5bf87ac579532f508a3d11956766109045abad6e6a6148d284c

SHA512
c2b507340c1dbebd9032f65f3d972ffb125f9670a1f9c7792cd98122a98a8b3f865cf28777d0d42a8136147129a2d531cc80095afdee59c191fa6893f554ba62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c327df4f80e062d5daefb33f04a402b9

SHA1
716258cad39f708741e0ad1b10dca1170c608ce7

SHA256
f1c11d9c7ae00fb2aef7d6b54ca76ab3b1faed01379879b61e0db74142ec3ee9

SHA512
614d8f390ba48a4eae5138f4451c2cd1ea39eec17d076f31cbb84d961638f56cfe9e05498350caa9273d547b0bcba648baca5155d6bfb033e1a140f56cdbcb01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ad8f16af12285a4b3831dc4bbc5d6a89

SHA1
c42d5dfbab4568749de78f9638ba06e3682fd009

SHA256
d6af19ad51998dbd922ebf9f586ecdf9f37c08c1ecc9f3bacc25ff7ca7f4f0af

SHA512
59e0510132553d21294aca4f0a6f622ab752a4bdd9e8240547ac2f0ebcba88b8d51c3b79ad23d0e1d8e8e1122b910b8f5d1f9784209afd720e3e6039d83842f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
cb2a7f1e65d191d13e19ffc1f29b46ac

SHA1
70b254bd08bda6109d35e79c0ec26064284822f8

SHA256
3d2facf64bfabb53f9a14394a1b43751d26ee67e8108a4232e5007f54fdb8e84

SHA512
33c9c1afffd66faaf7a3861db23291fbc087bb9789934ce027498deee553cc32b05b98f21ca758aaaec8a4adb81e3dcdf6d163b2626c103347f272afe441c459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fb6d319f01d7fdae68e798e141a82950

SHA1
4af851d0bf68b310a3218737816034f2b1ac0351

SHA256
781172156d3a79e220d3b5ca36262387d3b506a5314950df32ac7394b4e1426d

SHA512
e68e4db3343fa8e35204c6cf35f0aa95f5f48049ef4d4084a046a4420d1ab61ba6af063de945ec5badce8b125bdc2bca5ff1405a26fc0e5792ff05c36f1e660f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c4923cff192323691d7513b6403bde95

SHA1
74761076f2916a70b09d8c4e2ac89a10022ec823

SHA256
ffe8d0f18110e2f291caff8ec2c4624affca31b5fd89010c291426b5ffc8147b

SHA512
d3728b9aac51d63d0c2b8b7cff2079263e6e0a30e8f5efa6b197a1abc1dfc391491a4db9689481ce09c9b05b27280e28f467ddf6a129b098c78d472791d8d63b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
789af6603d899f5a5ead4807398f132c

SHA1
a8c6c074951750d78e6d14ef2a659f59f46436ef

SHA256
91cfc0e61ca492fb46d53b4bde2e54cad89a55a63741e27b6bbf97c691dbf363

SHA512
fbf42d011f71bc83f582a6a902c6ba9bc29ce708351c9dd20aec2e4cb52cc5732fccb9a957641294cef4724bbe8df081f53bc8601339484afcbae04142d28bf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e61909731008f7d0ee35204f1a3551cb

SHA1
8f69fa1c51f5731814951af8e3a484a49b6237c5

SHA256
29ab05b1dcdf3aacf4a1436e39b186cb92cfcb6ecca2648492ec534281e106f9

SHA512
e95d722b437d3e88dabf1f4d0c50d96fd6b965a30bae4677c740ad46846248d6863d0ad3ad9817184468f290d48513b548003fb8955333f0dd034889b3b328aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
bcfe9a9b5bde6b495005a33101befb89

SHA1
790ec4e71f02eba76913cd63eb7fcf2e97259fd7

SHA256
4618e44c5dcb586965eff7d0571eddf8bdb8e930de0340286b3b77a8e6db529e

SHA512
fe99f9e3f11b51fb495a59ec2231f0229d913875e16a09bd42b00909b3e72b6bfc58fc64c502e44f764450fc7f60ed1843b73b5596949464968a794d696b5672

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fd71038ccf799199a557dc4c6374aa3c

SHA1
9d9b33d16efbd4eeec8e010eb4b88d2c16dc471c

SHA256
3a380253a2c5eb02f9fe2fe789a6708225f2bf738a4e6dcffe56f711c8d62ccf

SHA512
46ae66753c9ec961bc5c651ad715bed37705bcdb41765bcdea3c76b4cc981eeb8bdb8c89764be563e37e876aff9b09e69d62906b342b8a76754a01a94fa2f660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
94e1c3d5aefae7a4de24700aa04c256a

SHA1
865c2330c904f7e5e3f739df912ca86aa376f89e

SHA256
6cc90f506197fa8192c56971671da2c7dafcbe444b51ed55ef46923edca50892

SHA512
2ab00967f8d99e0cf173549f511ad2a8f3165dab64f3d48c5b0fb9cd4741a9db04ba18fb87e98c98399efb9ab0518069e75793cad51d79871b4a77354e175368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\12878ed9-d895-4275-acfa-c02676bb2cff\0
Filesize
25.8MB

MD5
c7edcabbdcbf02f5d148b841b5df518a

SHA1
b01ef08c14ed7a923e6be53680d1dc9089df70db

SHA256
a47106d7347a647595d5dff711fae9f4c552eaa0be48e32d1c6350bfa5b83bc3

SHA512
0a6c2d5242da6636bad02e5fdb1c6b920f9ba12842ee989736ee6e0a262ad92aac6a3193528f57535c5fb97ea1c9ecaa9701259c521228ba8808b38466431411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
d81dfae5bdbd6954f5437a556a95f7c0

SHA1
b8a29b0850af3defb701b40de5bbf422d3bd9cdd

SHA256
dd61599634aead3b8c87073ac8d0b2a6cd79f0063515eece27235ed3a086b4bc

SHA512
4c23c13bd2b387319418c096f90e606e5a0ad2284869d7a67188e7c8387d02ea631b2a4a1585c1cf051bb5c874a6fb65d295e8a86290bc63ad15d41fd50de875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
93KB

MD5
88f2182f18ca4a81b6cc2e9d9264c2c1

SHA1
3c852356579939dfcb4bad3a2d6f58a7303a9ee0

SHA256
ab625c845488d9a50804ca14c6816a323f2ed1ae49fa335563fc98861ba8d19b

SHA512
f75285ab97418ca36b3d7aef46dbb8920a22569cfd329db0a1f92d60eec7c65e9582740d9697ba8127e8aab6ad6882a45d6717124396905c181eb85e5f388605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
111KB

MD5
77278b6929968c562d47c291177dec9c

SHA1
0448f2581fc127a1d8247495c27234a8826c58f6

SHA256
f3206fbefe5e06b6175d16f3d88b76a14ec50451686890a7269fe4640a803d00

SHA512
957b2d0335dd3be66c4d9313405c258bb2b96d498ba3478bc72f65ff9bcfd3ec7bd224d9bc4d463e31d3b97a7a307d1e4a152936396390f018607c5f2bd73c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
5696999fc8365ab013e5d0572c0424dd

SHA1
5958e33f2335a3303e4c8a64d02fe37084414c56

SHA256
c0f651366c7095314f0db871a851bde6d0d6d1be75080a63f1481b3c2b72ae2a

SHA512
d52f819b2f6a0aec46d7025e08e57939b1f9372a814556de7a7b228637f702567a149e6b7e0edfde4502fcf4014cdfe6f9bdbf1f61e37d2057a3e5c3c5b5c736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f86a.TMP
Filesize
91KB

MD5
dbd174abf1ddb9be56bfbfca17094e64

SHA1
cf11f9136a9b3724d6d407add099f617f6b0f891

SHA256
c2438bc0b9723c183864817a90f341818a99a1e5f1c852c4cb79d36c4be6fe3d

SHA512
7f8be74f2f90902b0c11827eb95d35f1d96f97cab1e81fc87b2f2dd223a901e2987d51dfdf8f92bd4e913e64376dfb86833534492876a46166eb2a998bc8607e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\62D7.tmp\62D8.tmp\62D9.vbs
Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\62D7.tmp\eulascr.exe
Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe
Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe
Filesize
57.9MB

MD5
063ea883f8c67d3bb22e0a465136ca4c

SHA1
3a168a9153ee32b86d9a5411b0af13846c55ee1d

SHA256
3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c

SHA512
2dd6be23a5af8c458b94eeb5a4e83fc8cacb3fd2c2566b5682eee286c01726dca90db3d9b4e218eeded9b0c9bce8ba3c9ca9cc497e3a57aab580633a038e4b74

Download Submit
\??\pipe\crashpad_412_XOZRRLCCKOUOQKPX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2964-527-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-524-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-551-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-540-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-539-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-479-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/2964-538-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-537-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-501-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-511-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-512-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/2964-513-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-514-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-515-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-518-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-519-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-523-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-536-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-525-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-526-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-535-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-528-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-529-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-530-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-531-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-532-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-533-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2964-534-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/4784-396-0x00007FFC20220000-0x00007FFC2034C000-memory.dmp

Filesize
1.2MB

Download
memory/4784-424-0x00007FFC219E0000-0x00007FFC223CC000-memory.dmp

Filesize
9.9MB

Download
memory/4784-397-0x00007FFC219E0000-0x00007FFC223CC000-memory.dmp

Filesize
9.9MB

Download
memory/4784-398-0x000000001BD40000-0x000000001BD50000-memory.dmp

Filesize
64KB

Download
memory/4784-399-0x000000001BD40000-0x000000001BD50000-memory.dmp

Filesize
64KB

Download
memory/4784-400-0x000000001E050000-0x000000001E212000-memory.dmp

Filesize
1.8MB

Download
memory/4784-389-0x0000000000F90000-0x0000000000FBA000-memory.dmp

Filesize
168KB

Download
memory/4784-401-0x000000001E750000-0x000000001EC76000-memory.dmp

Filesize
5.1MB

Download