Analysis
-
max time kernel
204s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:29
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20240611-en
Errors
General
-
Target
http://google.com
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 158 raw.githubusercontent.com 159 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 WinXP.Horror.Destructive (Created By WobbyChip).exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\SwapMouseButtons = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 32458.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1752 msedge.exe 1752 msedge.exe 208 msedge.exe 208 msedge.exe 1788 identity_helper.exe 1788 identity_helper.exe 1836 msedge.exe 1836 msedge.exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 4624 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4624 AUDIODG.EXE Token: SeDebugPrivilege 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe 208 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4568 WinXP.Horror.Destructive (Created By WobbyChip).exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 208 wrote to memory of 216 208 msedge.exe 84 PID 208 wrote to memory of 216 208 msedge.exe 84 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 468 208 msedge.exe 85 PID 208 wrote to memory of 1752 208 msedge.exe 86 PID 208 wrote to memory of 1752 208 msedge.exe 86 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 PID 208 wrote to memory of 2768 208 msedge.exe 87 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WinXP.Horror.Destructive (Created By WobbyChip).exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b21546f8,0x7ff9b2154708,0x7ff9b21547182⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵PID:468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:82⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:82⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:82⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8017775622442717157,13490263120691065499,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:22⤵PID:2336
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4464
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4604
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2580
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3468
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3704
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3464
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4124
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2884
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:764
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4104
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
Filesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
Filesize
20KB
MD562b3656502d2f8f50d792ea1c8c41438
SHA1cb0fd4f8bdfb6e32e86b6d805916dc95bbed7a71
SHA2564ff8b2f6c2012d486d9388885d7bed23513913f3e50d35bfc34cfc0e6d4c6385
SHA512a3fb33fe6c2ff563c8324dfeea173ac02d918b38b14adf56403a8fcba33dd21957bd617b4e15d09e1a347a9fe7415789d710505317754873aea6a8b60167eff1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD51b713ac36ac44e19624558963c05ac73
SHA11bb397eb0de83bea5f69c0ef74b00ffcce843e2f
SHA256ee80374e2dfc320cffdc506d8c57917486edffda713dd471a27d6b6b6813180c
SHA512a4dd53c34e11c17be1dcf04ca16456a29eb78adfc2bede8452ae9cba1e93950f430ff13951a15f7e3f3bf76cb110073afb7797be3913a5c18c00bca01d5c330f
-
Filesize
3KB
MD5e10cc106aec9d4efe6c99ddd7515f160
SHA1750682195d0b53bf0ca58e70402221373ea07ff5
SHA256fc436ae59e4c9774fd13449f17c356ade890499ac350cad411ab0048f6f17200
SHA512b90c1477fe940531f163731820af8a001042af6ff7b621c303363df0c90515fb5fb8674a4265d6e875ec17ad995c62e6541f88fc6426aa65d7efddba91d7e064
-
Filesize
3KB
MD5c11d580896dd66835aab196c2d3e92d3
SHA143e3d5aaf8cd5300a2364ddf914ff09c20ca089c
SHA25627d221501c3106693c7cbd34bd619bfb6ba55e4df6660c5b07303638331aec46
SHA512d5aaefe8bfd32600caa93ca60cae36f3ce89f49e7ba704401cbd37aa7f060086b04ccc385306fb9674ec7349546e53a2e7653a813bed1b6fdaa1f981cd592b40
-
Filesize
5KB
MD508d23464b4c3f7c8abcce1291fdf3319
SHA10110a3b18bcdabaddc66de6628612e395d5f1d9e
SHA2563e3bee99a02edfc993e9af8f7e5489c0c187144d28341aa96f807e7e132d6fa5
SHA51259701ce97f94fa7ef17f1a1ae93af2a87da164d81040b2c04054c14efb9cde20dc91553665488c55cc385403f68df61e655379b2fa1183b49553f3d3c5178f97
-
Filesize
7KB
MD5960db3c06fa347ab17b6dc8ea16b10ec
SHA1db74dcf02596f75b7956c205cc65b54fa754b370
SHA256f22c30ae26c4f17c71a77bba4e77a8138abcd9491762d005c83c57ecd2fa22b1
SHA512bbd406b21a86ca1b718021b579dfbf7893e0662ab863d71ff960c9ec66e446577a9d385d55c22b2423d4ea17abc09bd5ee090e56a5f207d3d6395a3601f8dafd
-
Filesize
6KB
MD53547a14328fcc48e21f12f3ebbdbfed7
SHA14b75ffb9d3148a72d4a52fb9eb7a0a2fbfeec14c
SHA256d17b422bba5984a84cd153f1c301997ebcc366ba2017d815f2f012016d716363
SHA5122eef55604e6bf04a6ce3cc63e877c5dd8aa2e66c4fcad4c716d7409941298982ad6b30866f7370d9b7707444256722cdbbe9d9bff540aa697d7e558b792bfc94
-
Filesize
6KB
MD5dfbc521ef4c0fd46f35d672b103574e4
SHA1594e7d31edb7f351e32ce84fde9e1bf2a5400bea
SHA2562ded0fdb10b26fd4c084dcce52ea77fa87e7c9c979a3c4b3c958788ae179c867
SHA5129002deb0ef4233177c6b0eac2a0576f07b6e317184e711a16c40ad17f1cb3c5162dc8ddbe6b76e3eca9ab42da6e3cadc65f94a6ecf225c420ffa0375b1341f83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize90B
MD59c5abdfd6d3ad825afdc48c2a96356ab
SHA175d9302697550aa345233f285664b31c34840493
SHA256b5abf46249a48a3c8e69151ea15dd6b2349b35a2300d06a815eaa3f5eda0e164
SHA5129a42a2c08eeed555c9e93f98b0d81b68d4408d0ef1c060b6bad4cbf1bf8cde0eff1aebf5e29c25b646504189cd45e9a125e3e9b826f0d4f831aaa7a7c323a292
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize26B
MD52892eee3e20e19a9ba77be6913508a54
SHA17c4ef82faa28393c739c517d706ac6919a8ffc49
SHA2564f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2
SHA512b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae
-
Filesize
1KB
MD53e89432fb39bf21b234650bf98891489
SHA19f2e3967393bd80106042f034bc9ecdedc32aaf8
SHA2569fa55ca7f07ce4639383baced4661ddac8fab41c9a5ca1956801069dbd00f34c
SHA51261d20cc0b05b1994c8bfbf7232db85099f117d892c2eb027e9c2be4f4eb4a01b5d776167e493282aaa9bd5a3e1e4adcf7545262e3fbcbf6970e03642e67c15cb
-
Filesize
1KB
MD52e5e5ddaf9f0d01d0cf7f01c283a77a7
SHA1e079201af6a192f463bd736719522efd74e35f4f
SHA256504f40b01a34468bda0cc0d3ea3a7cb22e94662eca45e8193ca7fae94633a205
SHA512b6c9fce8fbd17221a557610d8b2d72ace61a3c852703859d8234514c658500751f052d44541c0f4b1da755bab74eda372fdb4c7f7635d9612d23e6647361e1e9
-
Filesize
1KB
MD5e5532d03eb36c4e4d71c0128ef17a0d5
SHA1a5ae81d0af061d28f522cf25e3d3db24516e8716
SHA256bd462076bf71d6084bbe11f4f676578ca58d58c109ce1e3d2afbf2f0aa830d39
SHA512dcb8a3ff4f7f6fb80b9f7cbf90c889c8fbef5004261640a857996268a480e0f2a247d1c465dcd618ad4a70e62dc55aa6b4feec5d63854c092f1ed85555e07d26
-
Filesize
372B
MD54d0c82b0665d9643cb0e999496fb8f7c
SHA16dcb550e044de82122494b526d13cc8db02c5c36
SHA25689fc53dfda71716e3a4dbef42140fb0a5d363410d5e2f6ecabdead33bdbf565d
SHA5121f20108622372b2b1955c611c3339a340fc968a4da89e7bf0e9d423d81f0b5b1fcc4abcaaff76ddbdb1501a908efdb5fcc6683fbe51163a67f0c62debc37d7dd
-
Filesize
1KB
MD57fca4912d0f31dd4a5c2a985dd3013a7
SHA1d8b9a0d533b08e8558e3e6e5c76b90fb6ecc24a8
SHA256724ce35d73bfbee8d8e8ac33cdb46f5e01a055b7f32eadac8bfbaed4c0ddcd1f
SHA5128befaab01f6756066dcd173f0efd9702cc0a7d54993275158212ea848ef5f9f6a3549671e7247c5d7affd5a737c5aacf768a7250c49e2dfcf229f7938261faf2
-
Filesize
204B
MD584637a25b15be820126d6fb4e0978940
SHA15f9f684c1e1df1c3e04f94fdde3fc41a908436f7
SHA256d26f1a005995927e8f055626e01744d9416ad7f24bc29223a42e0eba74351b52
SHA512163be296331161bd16d263bcfe225b2213f6a389589f1ed2b76b92d20a6a862d72c356af621a8fa48e976ef4cf8683d4a106142e305908001936dd1d2868baf0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5e13e015e601aee99c99dfe179c39775b
SHA1374ed5e5e318b1640c740bfe59d36b450352df35
SHA256215aa79c43c63a34bab1864d6c5d22bff98d491fbe3b1a0c767052fcabaaf1b9
SHA512fb401ac176bfd5a37971929d9796de2a39aef039a2ac6a583c5f17e5956d9d8a1b09934a3100dc3af21d0850430f5d489bd7d74df9bfb0dd1d01d506dbbb0279
-
Filesize
12KB
MD53505e5d85e05081e03146fd13aecf30b
SHA187bd6fe7574d6377cd4b3eb2d3fe47082111547d
SHA2560d59121fef3e0d632b8604667c4ccd0f78e46065a57ee350c675c582e0881c83
SHA5124435e91c1eeab57edf4aa74fdef68fde794b75152a405a21d9fc1eaa4c6aae1d78c9cf0ca5e3321f54d89e8cf28e967c05acbfa1d5f1ac7deb8d18d2bc5c8511