Analysis
-
max time kernel
279s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 15:56
Static task
static1
URLScan task
urlscan1
Errors
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 9 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 2756 takeown.exe 4000 icacls.exe 3736 icacls.exe 3632 takeown.exe 4140 icacls.exe 4872 icacls.exe 1840 icacls.exe 4300 takeown.exe 2980 icacls.exe -
A potential corporate email address has been identified in the URL: currency-file@1
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.execmd.exeWin8.Horror.Destructive 1.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Win8.Horror.Destructive 1.0.exe -
Executes dropped EXE 3 IoCs
Processes:
Win8.Horror.Destructive 1.0.exeTrashMBR.exeHorrorGui.exepid process 2844 Win8.Horror.Destructive 1.0.exe 2320 TrashMBR.exe 4124 HorrorGui.exe -
Modifies file permissions 1 TTPs 9 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 4300 takeown.exe 2980 icacls.exe 2756 takeown.exe 1840 icacls.exe 4000 icacls.exe 4872 icacls.exe 3736 icacls.exe 3632 takeown.exe 4140 icacls.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WScript.exedescription ioc process File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\Y: WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 3148 bcdedit.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
TrashMBR.exedescription ioc process File opened for modification \??\PhysicalDrive0 TrashMBR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWin8.Horror.Destructive 1.0.exeHorrorGui.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeShutdown.exeTrashMBR.exetaskkill.exetaskkill.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win8.Horror.Destructive 1.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorGui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrashMBR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 30 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2460 taskkill.exe 2612 taskkill.exe 3412 taskkill.exe 2996 taskkill.exe 4956 taskkill.exe 208 taskkill.exe 1940 taskkill.exe 3704 taskkill.exe 3328 taskkill.exe 3736 taskkill.exe 2984 taskkill.exe 3156 taskkill.exe 184 taskkill.exe 2276 taskkill.exe 1748 taskkill.exe 3656 taskkill.exe 3440 taskkill.exe 4456 taskkill.exe 4456 taskkill.exe 4496 taskkill.exe 2864 taskkill.exe 3392 taskkill.exe 3924 taskkill.exe 3612 taskkill.exe 4388 taskkill.exe 2708 taskkill.exe 2184 taskkill.exe 4172 taskkill.exe 3672 taskkill.exe 1848 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755550162040556" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chrome.exechrome.exepid process 4728 chrome.exe 4728 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
chrome.exepid process 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe Token: SeShutdownPrivilege 4728 chrome.exe Token: SeCreatePagefilePrivilege 4728 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe 4728 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Win8.Horror.Destructive 1.0.exeHorrorGui.exepid process 2844 Win8.Horror.Destructive 1.0.exe 4124 HorrorGui.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4728 wrote to memory of 1844 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1844 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 1480 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 4448 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 4448 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe PID 4728 wrote to memory of 3580 4728 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://goole.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc13cbcc40,0x7ffc13cbcc4c,0x7ffc13cbcc582⤵PID:1844
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1576,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1868 /prefetch:22⤵PID:1480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:32⤵PID:4448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:82⤵PID:3580
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3060 /prefetch:12⤵PID:1440
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:12⤵PID:968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:12⤵PID:1376
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4516,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:12⤵PID:4536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4788,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:12⤵PID:3048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5316,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4312 /prefetch:82⤵PID:2876
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5184,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4312 /prefetch:12⤵PID:4864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4656,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:12⤵PID:3080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5424,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:4312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4820,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:3300
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5728,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:4208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5868,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:3680
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6100,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6088 /prefetch:82⤵PID:4720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6212,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6204 /prefetch:82⤵PID:5060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5456,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:12⤵PID:348
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5804,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:5068
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5872,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:4004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5900,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:82⤵PID:2144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5540,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3000 /prefetch:82⤵PID:5060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5776,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:4320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3340,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:2368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5096,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3856 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4748,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:82⤵PID:3428
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4672,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6064 /prefetch:82⤵PID:4560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6164,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:82⤵PID:1720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5808,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:82⤵PID:4012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5364,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:82⤵PID:2804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,3786688219934932681,16888116291804985542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:82⤵PID:324
-
C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe"C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\ED60.tmp\ED61.vbs //Nologo3⤵
- Checks computer location settings
PID:5072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\Horror8.bat" "4⤵
- Checks computer location settings
- Modifies registry class
PID:2900 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:3328 -
C:\Windows\system32\bcdedit.exebcdedit /delete {current}5⤵
- Modifies boot configuration data using bcdedit
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\TrashMBR.exeTrashMBR.exe5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe5⤵
- Kills process with taskkill
PID:208 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\taskmgr.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2756 -
C:\Windows\system32\icacls.exeicacls C:\Windows\system32\taskmgr.exe /grant Admin:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1840 -
C:\Windows\system32\icacls.exeicacls C:\Windows\system32\taskmgr.exe /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4000 -
C:\Windows\system32\taskkill.exetaskkill /f /im logonui.exe5⤵
- Kills process with taskkill
PID:4456 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\logonui.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4300 -
C:\Windows\system32\icacls.exeicacls C:\Windows\system32\logonui.exe /grant Admin:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2980 -
C:\Windows\system32\icacls.exeicacls C:\Windows\system32\logonui.exe /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3736 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
PID:184 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\explorer.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3632 -
C:\Windows\system32\icacls.exeicacls C:\Windows\explorer.exe /grant Admin:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4140 -
C:\Windows\system32\icacls.exeicacls C:\Windows\explorer.exe /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4872 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\music.vbs"5⤵
- Enumerates connected drives
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\ED5F.tmp\HorrorGui.exeHorrorGui.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4124 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4496 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4388 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2460 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1940 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2708 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2276 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2184 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4172 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2984 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3672 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1748 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3156 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3412 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1848 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3704 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3656 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3440 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3328 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2996 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4956 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4456 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2864 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3392 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wininit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3924 -
C:\Windows\SysWOW64\Shutdown.exeShutdown /s /t 006⤵
- System Location Discovery: System Language Discovery
PID:3944
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2184
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x4981⤵PID:4464
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5aac5f1315a5dff0df6a02dc9dfd69d33
SHA14d9af745f1ba8b2498d7136a65b900712051be84
SHA256fd02ffa39686130ec9f55ad5693674a95fbbb2f664c95079e9f30f986742660f
SHA5124d9795c12f1844b6b91cf3b9ad9a3b9538f7af06b91406f827f48579e1030a12b5298f35c1eeaa9d2b8e27b6ee775d2332b9028be773b9f61c6627855b4e194f
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
3KB
MD5b173ff7b5d91acecceed934a340f777c
SHA16b275af14dd8d0c0a7c63459ca30fe18a4aaa489
SHA256175e2220b36199b4799e1b41e7a249d6b94d297ba829eeb07ce5a3453fddbb4d
SHA5128801bb4f5e9ae4b9b3046e5de0bc29b5b22140068c67836062a8ce525a29483acf0f7ce9da371af3c0915050dd78451c3ef585785c2c752fd45d8eb59bc93954
-
Filesize
3KB
MD5a5b6379b33565bb845ceee05d012e2a2
SHA1f17c883b4eb59df01018681b7d9b3d0b002f5cbe
SHA256178aaa0fb14ad3834e9af032ec22399ce92639715339af7aaee4e0f072843559
SHA512206b15a2ac8acf545d896675cc4691ae139208252046fdd5ffd16f8ea97d0a95cb5b40be4cc091e0be9e973c8d10ef325671b0e486a86cf8f29226d6a2cddbc6
-
Filesize
18KB
MD5cee883c52eaa2c11c60f46b8775f5863
SHA1d398165a5e7d13ae84f264e4379a06ddba538e81
SHA2560a10eb44e4044c018c39a43ea66ffb26ce404cd7e61466d2ed35c10a811fff53
SHA5121c3e0ae33865feca47f38748715ec55099e42d5c1b885e1969df69b854a3fbdd02d6e363127c855488bac4f398facfdb668dcff2272f27e8a242061d25a75566
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
4KB
MD557222f5cd7c47b8f1142cb629dcbd7db
SHA13798f25d3abd52b1a1502ad87ed2efd6da5ae36b
SHA256f2cad746e115910d1784747ae225ef1ad4f1b41fd1d63dbf57fbb6e3dfca7dfc
SHA5129ee17e4190d1da078b89929a71c7bfbbb9f79a1564b9e7d5584cf56cec8ecda3fd8db6c080455f069118119a15e0731588511493e05777c61aa745dd9d305dba
-
Filesize
3KB
MD538c075f7d5e51c326fb53669c797eb04
SHA1c7220c16265c6f248e4a31bd65b4bf6bc90fb5c8
SHA256049a3cd89be54c93436b1e600cc3cb52b6d105b566ccf6a06cd32f437b9ba191
SHA5126c5d2aa91aa49ad03a4eb34909f611c7a569fb5039b161c591fae1ab844ba32e16cdd8f981f4144e0f52c8cbe280579a4500d179b761bf63e47c68ca91838977
-
Filesize
4KB
MD5c98af95f8a50f39df0d0b437078a6175
SHA16d77bb4f08b0e05c2c3fff7793b43c1d39c958f8
SHA256d4a4ea763d1c45cca31275cddf04dffe91a7ebd38e560b00d3016e98ecc393ab
SHA512a0026644c5e1e303339fd7f3b60c94f5f18f2a25e8aabf7953a06c3701b501232fc3a474465a7a37ef0758e4ea3810f08ada3b4008cf67a07cda604b83e567a2
-
Filesize
3KB
MD50eea6d152b04add5da3209ab9d2c68be
SHA17ab387cc91c3984a6b09ec132695f84455734f0c
SHA256e829f1d9d617d9868122a9a445156014c6e49ed8cd9a17f47806d127508a797b
SHA5128ad4205853ab171a172b3aa21eb271bb3fa8dde4ac256ad358f4cdccf8112d4809a148a3843380cf761693b20f5b44773b6fcafff2aab0c38f5307eec425e5b0
-
Filesize
4KB
MD55c5c05718d17c16541b8736cecdd9e1b
SHA1aa7f8607f8b5fcfaf2020167ab1c4802cdb2fa86
SHA256fa9468474889451207f325debd6bcf040d9853de95c8a7f28488c8dd8f19fe66
SHA5125a3d2ce44d3e3f365ac895b82f2b7636ec3f0df6ad2e55e1e74c15fa38da25c60b9c15b8be777b11a1fd96b0eb1dbdb32ff60485b2d762d65de741bec8e5f4b2
-
Filesize
3KB
MD50f5cacc113d4b023cbd357eab7006ad8
SHA1790d72fd36c52810200db834685b80b2c418a070
SHA25600b93d90ff3a5c93d9ba98e9d022d1b262e67903b98ef08efa0bdb120b6ae956
SHA51273b389c283f4d2c6bb5460c498af3f373af33a46478a2c8f934429296be134619b30049107f845da05d80f8ad333e5f61c580c3f33fc35ab5b1f40460c0e8509
-
Filesize
4KB
MD57ad3c5a015f6adf1671ac73533042f85
SHA1ee479288a912e967ff4f9c701e561fbbbb2e117a
SHA2565505f00608a2ae260e4927f7a4e120d86796b5e19da9b85a6698511e67223a4d
SHA512996985086dd5390d88f55d3c60a58b2d48b704232a69827c7a05085032615ff3b0eabded3460c55bb1e4f3aeae73d4ec89dd463013620de7446ed1940dceae61
-
Filesize
1KB
MD524f38c69943da8faae1ab228755c4b9c
SHA1db5884d027e3faba4c7f6d2a2db52beb4fce9f83
SHA2561b50635181f031e418562b8e8bcd8a725bda47efdd404ea2db5f95e03e8801e5
SHA5124bab5eead53add620bf63fc0292fe1fed27e0d3964dcb6da3df135eb4b04c427accccf6340a51d846b6895dd9c3ea4cdbd2fc6aac4a467a2908056190a9f8f28
-
Filesize
11KB
MD590cb2f5ccfd7d2da5c73f22064ee9663
SHA1f3dda9968cac7ce8f6d122fafbac63f164faf17a
SHA256e97b4bcc54a6b27c3a62dac7a7446a04e6f18de257f1b1f3dd6e288d6d75c52b
SHA51229cc7182b05acc2bc1ed49affa1cf5c96dac6be5d40e8333b1ad03f22b0d6d792adb0b173425fb66ce1d10f90de1a574e60928f75543d75edeee790d9d877126
-
Filesize
11KB
MD55dbd89d534fa2f55e5579e69412ed30c
SHA14c407565e1e712a5ac2130c3a56edb0771f82d46
SHA2567328eb93c74720433f97c097119fce03fceecd03fb922c74dd79c00b6583a9d2
SHA512f8bb771ccf1afa75bd6cfbe541571a4b778eaf61a628090b194040edddf24ef5b1246a94cd4981df4ba0adda29092185d3fcfaa88a607a19f95d7627379c259a
-
Filesize
11KB
MD5aedaff5f1006cadbcd0195879bae3c97
SHA110716b6f811aec104b98a4c34bbcaa574320603f
SHA256fde44aa06e5cc23a22d02638c0a512b33d65b8bf597dafc99249f565ddb12ea5
SHA512edf71eb4eed7a0a78235777306de8749eb2ce065178e64dfe5ce9fe825050a93315ff02745e44762d1c5c60e5f62cd5309e98da7ab4f5d32549438b49dcd1fdb
-
Filesize
11KB
MD571008aba0df527f0d6a5e9e9caa32575
SHA1ff62a42d311ddd352375cf8af46be7cf657dc291
SHA2560b73ca1e4f6d67ae3944cd33953c1d766679b97e2684407a34893386e7cec52d
SHA512555a08e863e34ab85bbf759eead09ca4720429aa9c6425eb110d21c5d11bf611f78d9cb3da672a826b9895f68c25b10ae75133fcbc01ceb2584512671504a24a
-
Filesize
11KB
MD54c4ccceb2c315f6d254c16f399aa3566
SHA1f9df35e17cc520f29bf2cf862da46eeb340aae6a
SHA256bc5cc122a8467c818f95d309ff7618c0d305f55c8f7ea8771ef7d7097b6cf611
SHA512879a1c0962ce7bdd486623ba94f0fefb715f11e652e8f01aa9386fc2ffbbcd67094335c65e53d5ea3c1f0d4b1e45afb7249f18ed65fb8a1dd5cfbec765dc97d5
-
Filesize
11KB
MD55d8469fee3b297559556d069ea7f146f
SHA17d8fa50d4a17d7ddf6c5994c7f0cfe5a69669920
SHA256da08f9848959291f541dcfbad55a412ed7fab677a4ae746d1a383b37eaf80fd1
SHA5125dbfb9116d4f6dad0667ce106dcb5e3ec8c17f7d3eb85bd3fc05bb015f5d654c8dc095c170d9c3a3a893e9aa772dc318e42684650c34df4d1cf119ba5d6ec344
-
Filesize
10KB
MD51627fcd0a4ab529773dd8d0754b7128e
SHA14b8dd152bec3e51dc7d3b692b7e61cc3ece52b80
SHA256062644c3c21d3055e908fdb3c8e4e62bd40ec101b8e40352cc1407a60e131baa
SHA51219c455e57bb110ca4b9e39bfb79e2085fd604b37a81c55fde46d24eb6e27874ba818061f34c2fe936ec62020a4c233a575f1a467e4505ea2325eca998cd23008
-
Filesize
11KB
MD5342663946e7920a5ed80399392a3c0e2
SHA17af85f9c24d64986d73c9420d0f096bfea252b9a
SHA256743601677b36e17924ccc13e0a235d7ed443fc2d94db035ddfb76b7b94ac0098
SHA51294db3559701da384a7b4a17d44dc45d421028f640467d6042419e1dffdeaa707f3a2d5fe96f5a47692433099a27e20133a8be0ecae121d00ed5bab3c739ab195
-
Filesize
11KB
MD560689ce03a9bd9eccafa5cea4c4624ac
SHA18370b6a5290c085b13e01d4cc1b353f976f5f87d
SHA2568a4f2b9814e1ef378520756cf57dcfd5e78bdf2773093545745d382fa24b30b9
SHA512100439f6c0faf6a9f187f9c800110a83107e115df2fe6a37f577fc1b36a108d38666c15f9d2d06564a5bf5b079d7a53e0ba4cd96190d6c63018ac6a5ddbde36f
-
Filesize
9KB
MD51e4ef151f753d10fa475be00467d224e
SHA1b032ba2b89545a8f94bd0eb77379babc732fe825
SHA256eb08cd20deb51fbcd40a2b3d5bf7328ec8752d5047dc6b871b7cc6bc2c853e86
SHA51233e85bf7194ab5f328564dd5a9a9bd27704e3e2306d6d6cd35f664a104cc7fc96023589b5ae249a417d2a20a081537a0bdfe3e7335626a9f34b4dddb504237ed
-
Filesize
11KB
MD58c65551e20d0aa1958104eca2f2965ea
SHA1decbf839c199cf0976f1125a080454dd910eee95
SHA2567814b95f446a61104c849fd03985f7af46c9f0fa08cc6c81387e8f1f23b4603d
SHA51219d13d15878327fb183dd29676eae136e37cc062e8728d95c36745bdb1944b43ada8aea129886aac2b62ff315985694ac1752cb7ac057f8ca00bfcf44a716481
-
Filesize
11KB
MD5c625631fcaafa48965b094f4b48458e7
SHA14c7ff6c0c6ef21ee5e97013eb3a25dd5ee9ae910
SHA256942d19461ed6c53cb7e5deffb7e0cd0ecc2af50815a64820227f7dcde1874fb1
SHA51279c9631d4f8078d8dbc043150b6b2bd2d2cce7ea58fe06c29f3be07f30f41107e9fe54326409bf78bef74c48c18e43649fdcd2f293d103ea70f50026fc8e3fde
-
Filesize
11KB
MD50ec1e6b2d0dcf609c6b10512178afe22
SHA1b5ccbe975aba939195823f01e79585461c389c62
SHA256624a5b2aad80db2930920c50b110791ca2ae10f93e98f20430bf2df91cf1d8bf
SHA5125de574f5525031c30a578af78b7867ac8127110c61437336aef6f2a8883848efca20be8037f1b91905ba90591dd56d8425545ef0b2c35b6d30b2afa76e2cd9b9
-
Filesize
9KB
MD507956dae19cf29c3c1ca0b00b7fe8c0d
SHA103016a39b71f3fa863d74a644a7bf8b93107a263
SHA2565693f99061a4345cba193719dce45ee0773ffe227d5c6f0ea02ae7f5c8bbc266
SHA51229f813f876553d2c637312ca18056be807331cbcdf6e36f0efb1897fb3eaf25357d729ab123384974d9e75a1f131fce3821358abc2b84c28615fe34e8cec0bf0
-
Filesize
10KB
MD554dbc2e4ad3a17fe6a1d9c5967013d07
SHA12c15bc1600296840b87b1328083f9b29a79c85cc
SHA2560aab5e3dccc76968652619ea6e6893bbe60f8c48b7339cb8fcf9639271fe7286
SHA512b8d3c73110e30ec57c4b13cd10332309509595134024adfe455a356b945b867e024d0bbb881b3447d3280d9f7eb83988d837b792d6079fa947b0043db197c2c6
-
Filesize
10KB
MD59f42181691d139139f41d6b94c329b93
SHA160c927dba42f0b8be81bb3f8b1c2f53b92465b59
SHA256673bd276510871e117317dbf4ed3332e4283500a9b6b9dd85a0862cdddf8aabe
SHA512a48e69b840789e192f9af7938af6a44aa068af7369e2764ddb263e1b4ebf901feb3c015733a4d142873e7c99ec057bcd55d4154eebd845835ff7749f798d1142
-
Filesize
11KB
MD55cd6576209129c975e8be21ba02c7d68
SHA1b3d58e166688f7c7da2a2b89e5517b3f5adf612f
SHA2563e7e5429e7af2de6ea4c0134b6695b36ed2f3c41014ce458f1fb49b7f6598fa9
SHA5125831f3e2e33ff32440f8721255d82a767abf289424ad9b45105102b26f5a06448cbc21b1070470a106b98c7d3b3905d96053cac6981d96880c7c6616e8b253b2
-
Filesize
11KB
MD55ce33f6c7ce3e2cfec067a06b1f40162
SHA17260f65ca4457bc13b37e0b167c5537d30baf5e1
SHA25646e81faefa085645c3a887a59c5a1dc2ca83694f3c014124d6e73528c4028a9a
SHA5125037f4235922f7ec910aff89f96cc01cd977a86a712b5bd02d2748428bbe94bff8324930f4452b3b7353354405ea0d10568a6f2832a53628500d01eef19327fe
-
Filesize
11KB
MD584353a032b1972b16af3f87b2f140318
SHA1c22743eb03c819256a147e8f80966d285051c081
SHA256f6a7295102cca922988985f1306d28df2d5ea27e0729712d9b6b0d2fa0663b9a
SHA5120919025f46ab538985ba6bd96e4e614b87c2cde256a7b257a6efcf8e07c7dfc94c4926f93f78e5bd4284c62b18bfbca3d8b92eb90b4f7998ef38bb248c1dacca
-
Filesize
116KB
MD5def41a182930b455473dfd42aea265cb
SHA11f9e0d034881ac8dfd1d3b066d671323e52f3029
SHA256d1a38d39ebc525bd9c54ea41039edec1d403e2fde98fcdf2009ef1ff7d963d61
SHA512af29aba257edfac890be7b46fd17049fe32802986ad9ae96e3ae15e37663cf454b8406a8ab94b3a7d6b237022b3bcaf290dd49059424a6caf7d92fc610ec8f3b
-
Filesize
116KB
MD573567f3948f7e05b113999096a96653d
SHA18da5fc879bb249aa09dd48ecb7f52cb886f5d587
SHA2563ce6645c00210eee7c04f221b1eb8c10b0705a9d98750cbb8333449538448708
SHA51266de2d58cba1ea45e720f4da0befe7647cf236b3d244de427f83e3fa1355bddb3a8cac09d950f5815cf7c0ae6aac2219c515089ad89040b1d319b61a421c1f39
-
Filesize
116KB
MD576a218a2bd4371bfb084e31657ad72fa
SHA101902c2b65c834940001c80b29d959dad0e017e5
SHA256a1b9ed928651b48a8e0f5eb6f1bc4e17c618722a899a42b5ecf29ec27d3b41ed
SHA51278799f8c03ea17fceee53bfb0fa0caefdac134faa9c75af801db7a6429af94a4c91dac97ad166eaa00a53b7d8564bd190953a8284494bccf9b31e7a76c1f13eb
-
Filesize
116KB
MD5b355aa56797f07aa400e2fdc10d97a76
SHA1b34687ae5a0f46ffbbc35e9b144ea4ad627c0779
SHA2562a8f4e6fe138fa5b15f0a25c2b823ec3ffb5f43903a7d401f260a9164f739ea8
SHA51239ee76e77dca82d0a01c67e2e13a023f2c3ce21fba3be4f8a198b2b9f539724db1ce666a97bdfdd631afade91b2308a2929e1e11a979a7ddee900d201abdaf8a
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
710B
MD53bafc447cf86b66198f84690cb592adb
SHA15d16e560003b0ca1efa914aa0960fa84dbe1a0a6
SHA256b96a442adc718e9e0981b1c3bea2c8172f6c5b2c8c1fecda5c311c95728bafff
SHA512f0aaef88ff735c8823cf83bf513a95084ccc617aa97bfed8ee86dc1366ae8cef679a7b5bf48116370493e0074fd7f56ce7e5e9f22bfbd8dd6f2f7c8489419700
-
Filesize
915B
MD536fcf85ec52716f5fd8ea625a11c13c6
SHA160a720249c6bb3617e904445c247487dba96af9c
SHA2563aba2d676284209730ff20b28a8415a3c41c88f402301b14437040bf2baebe0c
SHA5121ba72a3ea4cf1014f0072184067611448276fff273f803c829d1f6bbeb6dd24c7dca41eada5b78f2ddc7dabadf5c5a66e11cd4f8a5aea31d261a69ef186d09f6
-
Filesize
308KB
MD5b2653aa06a2253e8155eb81535b20e6a
SHA10cf61fc537d8d73c71724febd0f1f34a6fddc838
SHA256b4e106e22c4d3e51c87d3d5853298210572ab2834f5e2a0beaf1df7d96c57d29
SHA512143694740660ac46f0c6c78903e8378fd402b5338dfb68c3e4a148f6f83036eaea3be6bda160d59ed1c5b52ba235823e284a0564ab9dbedcc3d3a6e40584fd98
-
Filesize
47KB
MD587f09f4a202bf9c0adcf6fed942aa703
SHA196bf11ff017e31ec2242c0024c372628c40cbd4f
SHA256acf8abe9bd2f61840a247b4796ebedad20f69a85dbdf8a4100f5d7d306b064b1
SHA51285202719aa875b2697ae3082a79a3ca7c1e1be377d6b19f9f159488a5f9d6ec6e9ec35352b067a1bc15546165764acb108c11203bf482ea43684e433717eee58
-
Filesize
13.1MB
MD51c723b3b9420e04cb8845af8b62a37fa
SHA13331a0f04c851194405eb9a9ff49c76bfa3d4db0
SHA2566831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29
SHA51241f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae
-
Filesize
227B
MD58b703f9c48eb3724348af746e7610061
SHA1599aa1820096e92546ea8d863d46cc49404e19e6
SHA256e8cd555c43973e3b2e6fa0e80d602abc3d7c43a17bc51a6d0ba08e20ea3feadd
SHA512d38e39e3f9ff71f68d3d851b635bcc27939656ec085369652a324d8b0c95042e722a07b0b06a0a25f0f2b51d5ad1addc3174c472bda3f86cbf28376ba4870208
-
Filesize
12.4MB
MD5846d847d9b1247c57824d5d2601a7faf
SHA12119dccee1e98af31fd193cf38bbfd8614f183bb
SHA256ba8fa2c240edfc35c3078fcf31b87c0e1af4404dfc1f52e0d5640edb061355fc
SHA5128cbad0562c13f997fd2e90e6f3a998cdbd2c207592c1d85e6bcf5c794a65bbf2322355a33c9d1af4f03519447c397e7b34dfea179c30d1a054d32d6031c723ec
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e