Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 17:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://archive.org/download/WinXP.Horror.DestructiveCreatedByWobbyChip_201903/WinXP.Horror.Destructive%20%20%28Created%20By%20WobbyChip%29.exe
Resource
win10v2004-20241007-en
General
-
Target
https://archive.org/download/WinXP.Horror.DestructiveCreatedByWobbyChip_201903/WinXP.Horror.Destructive%20%20%28Created%20By%20WobbyChip%29.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WinXP.Horror.Destructive (Created By WobbyChip).exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 WinXP.Horror.Destructive (Created By WobbyChip).exe File opened for modification \??\PhysicalDrive0 WinXP.Horror.Destructive (Created By WobbyChip).exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinXP.Horror.Destructive (Created By WobbyChip).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinXP.Horror.Destructive (Created By WobbyChip).exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Mouse WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Mouse\SwapMouseButtons = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Mouse WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Mouse\SwapMouseButtons = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 183733.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 msedge.exe 1792 msedge.exe 964 msedge.exe 964 msedge.exe 1412 identity_helper.exe 1412 identity_helper.exe 5692 msedge.exe 5692 msedge.exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4552 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe 964 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5996 WinXP.Horror.Destructive (Created By WobbyChip).exe 808 WinXP.Horror.Destructive (Created By WobbyChip).exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 964 wrote to memory of 2836 964 msedge.exe 84 PID 964 wrote to memory of 2836 964 msedge.exe 84 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 3836 964 msedge.exe 85 PID 964 wrote to memory of 1792 964 msedge.exe 86 PID 964 wrote to memory of 1792 964 msedge.exe 86 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 PID 964 wrote to memory of 2016 964 msedge.exe 87 -
System policy modification 1 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive (Created By WobbyChip).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WinXP.Horror.Destructive (Created By WobbyChip).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WinXP.Horror.Destructive (Created By WobbyChip).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" WinXP.Horror.Destructive (Created By WobbyChip).exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://archive.org/download/WinXP.Horror.DestructiveCreatedByWobbyChip_201903/WinXP.Horror.Destructive%20%20%28Created%20By%20WobbyChip%29.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff8f81e46f8,0x7ff8f81e4708,0x7ff8f81e47182⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:82⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:82⤵PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:5796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:6056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:12⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:12⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5692
-
-
C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:808
-
-
C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7482800303834350856,10917136028044557175,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6276 /prefetch:22⤵PID:5148
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4388
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2572
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2888
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x384 0x2d01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5a2ded4205b356297b158e12776e20ac2
SHA1738ed535dad125623a9dfc703104b880de337211
SHA256fee3ea15feb1c6965519919f410f3d7f37f155ec38d054a23c43e32a598aaba7
SHA51272835e87eef785f2a759a08cc23d91512ad83fb8cb115e43f471690eb6cf70be0e4a89ea66f24cddc350166b8f01b06aaf1e1f2b9316f40575203bf2372672a1
-
Filesize
695B
MD58ffce6b84e424d2c242e804d22c64580
SHA16c78fa4a92b67d19e8ea54c059e8a8225007fa69
SHA256106909195b58a7eeb0fee3b13dae07752758ecfc25aa0c04010c8f29b8f34b73
SHA512d697bf17118d23bf079f5c63bd41398ab43d1ab445bd6c5fd5ebf0960c85b4b3332e64386d3e97e920a20a80360d05672983479ae7a472239a1279900f6a57de
-
Filesize
5KB
MD53fc16f589e08d95511164d23b36155cf
SHA1e8e0a5fb0a8ed71142cd0c47edc79be7ac6aab58
SHA256427ac6f11011929edcad62765ef481b3b4e9aaddca370e4c348ec9b6098ec20e
SHA5126eee473e8279b031e0179862f3d2725ede64b50283a1b1279b76900130b82862abdfff5db0c61fd68ffd667062fd0ac398cc6e0e5fc32ad9b43a46eb6e25fd07
-
Filesize
6KB
MD56d76d2b6fc586f53f6e928c258d86d81
SHA1ec93b32fad57ae660648c2e092f28d514b2d8bd1
SHA256810983732756a051322c7cd1cb0def16fbd4cb52cf96764c52daba9e4ebb0c60
SHA5124e580e29a606e46d7535bad8135fabc39d0a50a2566a45f71a5852f57b682f75f89e3674ab368962fce786ba38bbc9ca76c4fc32c3f85f743489855e6f5cf4f0
-
Filesize
6KB
MD58f6d17228b60cac08ee9d15846dbb8d1
SHA193f1cd610de9b6090b12218b6b6026cb36605884
SHA2561f29e5fb43b6bceeb0145d652f06c469339fd8f998b79f77286591ec14f03867
SHA5122a60a22039b8d4d7fe50a4fd2530b7bb409cc2059b6386d41cc7602aae83f661b4c4c5752715a704091eca37b2f33c2f718dd556a3ee4ab86cf0b70460457700
-
Filesize
6KB
MD5aa641accb2ed0d2ec074e2f751094ba6
SHA10645e6c1da35602886a4ce90bf62967ebd7562dd
SHA2564bac806299ea0523df098530747c42e0c1002ac48a75b03aad380cfff80a3a59
SHA51244d362dba732dbc60b9c635daccbaf87a0761bc0bef5e06da191cb61b06534abae777d2d1b1a0730a5f8c9f0f8c63c2942a5bfc78ffb31c7829b72cd32631dc3
-
Filesize
6KB
MD5b320f01403aab4010128e32d7f2a65f8
SHA1e592208fd51af4b134469c50ae8f0983384c1aac
SHA2565bee7204635b8323400f74a909187a3a617837c9d9d29b55fa448d696453aac4
SHA51267d17ae383b4130ae112293ab1fd37f3d7910e86110809c965407cf5380d9b0a1eef7dc5e5fb4236036312acf13c06942f38e28b4c4784035c1fb6710e0e8145
-
Filesize
874B
MD559480a6798e59f52dae1004af2d9b480
SHA168b39eb64cd470d19ec01025357debcdab83fc1a
SHA2560934a273fe154d9e34baed8e82597862407f99a290f90d2a5885d300f0445b47
SHA512bc169e5d37ee0130885de479b24d30b46850198d721ac3d97e1b338c9f9c5597ad16cb2a2c382f4aa38c6ca0ed8b9928f00c0ebeaf82318bb7431a2ac8e717a7
-
Filesize
372B
MD5bee2f91f676b25f5dc6f0ef59720014e
SHA1290bd008fe6bd3464b5b503105a4e97d27c1e4cf
SHA256bf97ffe9f6cd012d0d0f310d9467109ccff4b0a1bb5cd3c3a3763b5f051e996a
SHA512ce5c824c21052e4110843e906ade8697428061641ddaed3d8e704eff4920d039f9dc3d645556268106f867acef5a2892b4738c5f4b50fabd4fb7b6245d73b892
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD57f8c2b424c1ae05c0af845f6c74d0d60
SHA1054f41a0e7a59e8b889931920960decf81588835
SHA256e5e31a1ccde3945e2fe6087d51621fe2e57f01474a677dc89cb34d9c6d22acf2
SHA51204596ccd193b40f9ee17935c7c09d044fecdc24ddd58022235cbade2026a428a4c1f912060b9429ec8ce7b28dd77190354975de8a3d8912647d8f1180a1f925b
-
Filesize
11KB
MD50a96969b6afa882662054ed86925d219
SHA12e4eddb72a1dd0e562049982aeb9197382d5acce
SHA2564ee1c87e83b40119dec13053f1c20c8fce9bd7e7df809d787b0773a994da5bdc
SHA512be46d472b57c1594ed8d56a5801f4ffc13bbbeb1ae9a9b44e995bcf8d66013bcc82e8486cc8e24285c045436dc7a3c6b28db74ac4703d4a7bb0e3e12f443332a