hxxps://github[.]com/NotReal96/Malware/blob/master/Windows%20XP%20Horror%20Edition[.]md

Analysis

max time kernel
296s
max time network
286s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22/11/2024, 13:33

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/NotReal96/Malware/blob/master/Windows%20XP%20Horror%20Edition.md

Score

10^/10

bootkit defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0"	WinXP.Horror.Destructive.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WinXP.Horror.Destructive.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 3 IoCs

pid	Process
5940	7z2408-x64.exe
1700	7zG.exe
3776	WinXP.Horror.Destructive.exe

Loads dropped DLL 1 IoCs

pid	Process
1700	7zG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinXP.Horror.Destructive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
29	drive.google.com
30	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WinXP.Horror.Destructive.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinXP.Horror.Destructive.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Mouse	WinXP.Horror.Destructive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WinXP.Horror.Destructive.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WinXP Horror Edition.7z:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 466826.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6020	msedge.exe
6020	msedge.exe
2944	msedge.exe
2944	msedge.exe
5740	msedge.exe
5740	msedge.exe
1372	identity_helper.exe
1372	identity_helper.exe
1952	msedge.exe
1952	msedge.exe
5480	msedge.exe
5480	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe
3776	WinXP.Horror.Destructive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1700	7zG.exe
Token: 35	1700	7zG.exe
Token: SeSecurityPrivilege	1700	7zG.exe
Token: SeSecurityPrivilege	1700	7zG.exe
Token: 33	2304	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2304	AUDIODG.EXE
Token: SeDebugPrivilege	3776	WinXP.Horror.Destructive.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
1700	7zG.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5940	7z2408-x64.exe
3776	WinXP.Horror.Destructive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3644	2944	msedge.exe	79
PID 2944 wrote to memory of 3644	2944	msedge.exe	79
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 2044	2944	msedge.exe	80
PID 2944 wrote to memory of 6020	2944	msedge.exe	81
PID 2944 wrote to memory of 6020	2944	msedge.exe	81
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82
PID 2944 wrote to memory of 6100	2944	msedge.exe	82

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WinXP.Horror.Destructive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WinXP.Horror.Destructive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	WinXP.Horror.Destructive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	WinXP.Horror.Destructive.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/NotReal96/Malware/blob/master/Windows%20XP%20Horror%20Edition.md
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa95033cb8,0x7ffa95033cc8,0x7ffa95033cd8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7280 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5480
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4504 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788974822552513191,7220263240714818586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap12857:100:7zEvent31487
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1700

C:\Users\Admin\Downloads\WinXP.Horror.Destructive.exe
"C:\Users\Admin\Downloads\WinXP.Horror.Destructive.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5180

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2912

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4204

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5500

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5196

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1251595b-941a-4a37-b5c3-9f573a7a5aa6.tmp

Filesize
7KB

MD5
edde7d4ea8c4cb8af56d28178140d83a

SHA1
18aa1f9dc010cdd9407b937f7163e81a8dd45efb

SHA256
f0742139232668f4b52e93aac9e30a896a27ccf2fbcc327c049d1690e66d5ad5

SHA512
c587df80ee531eb95478b6e03c17957e99a1291b33b76a7f0e19ebec2b635ce84cf90988d0443443f912af65593aea0c9a44d54dbaaed3989b5d37c022550649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
38KB

MD5
6d9b75a291598235298cfd81e16dfeeb

SHA1
5416b88cb7e301775e3bafcd77178f037081a94c

SHA256
5c3f13720d81ad23217ac20fe7e94c5b2d43a2e5781d64110323479016d07bf9

SHA512
2abe1df30e8586a78b972778d7e37d6d3967973fc97eb879b7b5b1603387eebd88c97a7701a38ef0faa19b6edf2b512f3e5f92f81600c1671f3158120f4ad00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f29d58e810529f8597a7fc63609b587f

SHA1
ee2cf4ab8882785bb7cd10fdcfbe2d954ff113f1

SHA256
2b07b98a603b23e4f3fc3e5f0d3d0eaa65a9f9b76148acafc2137e1f057b3789

SHA512
0b11253b157eb62cf6da7660117e6b85570fc88ff88666d230fe7a1d64e32d54a520300f67205594d0b120b030ddd6625016b71d21d347da9093c3ce6340eb34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ce66fc2aeb7cf1dcc24f9c1db201ba45

SHA1
069f4d98ade4fab2c69ded519608df38b2854cbc

SHA256
06d75ef3509629cf1c676e7a3b9be197363331d05008687d39779941003dd801

SHA512
c8e2fa31d71e97694f386045beb2afc1a144d0da1d6cd2c2e9e230b5ee9ce2a5953736487098793f306a48c33722d4d0fe7afd54d07f849869075c70aaa35a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c9ca1bedc392abef3e07f3c7f9152657

SHA1
985d8adf8da532a2b628f37a1141623d7f42a2f8

SHA256
f9c7ddb057030d64a3dad0f203b66584dee0a37ebeb3aeaa1d44e91ad582c54d

SHA512
b9dbbea3186dc0de9738464a6bc92cf61d177ee7be890874df271ecd257e98b2625a86d4133c5e5b62a7929018293961914b47c63b61c62ffe8996cbbc7c085d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
bfd171abd1508a0ed0d0b097081d87ce

SHA1
6818a4d20d87e1b037cc320bda862dca0179be2e

SHA256
b5d2530c3dfdb954cfaf20f8ebe9132165e6dba34fe3d0924248cdc6cb5e85b6

SHA512
ba51f75b6e43c78d305d4c3ff17dfeabf3ab890b10146ee05be67d3a14f5dbfda4609cfc95a9a041c4502631c99d02bde56631aba9f4c3cf9a51b1cf27c53e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
02cdbb9ad5b5974f2d56d4ec87f8cf2d

SHA1
bcf7898b42a4927eaffaefbcc71e6f3844e5383a

SHA256
7871b5bbe45ca61000fd789e715c3ed9d3ab61d6c940cb4d5b27c9937e01a4ce

SHA512
544e7c6d649457e145c051361f144061bc539b87056082672c1833a622ea5cb82b95882935ff53755efc764696ea29c6cfdd9c74035c39565a03d5fed44c1535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
018a419d62fa76c7cd9b0d5b59bf36ab

SHA1
c0ee5e1443ebf599744248bda2b17e21558a1f23

SHA256
74e96cc92866dee9028f5eaac3bf925d1af780e73cad169201b73febe85d2829

SHA512
1508990c29e1fd34eca3905f9ebac4461aeb33242b9221f94a5494b5427c36686277ff386a83c5d3bb1b6fc0f4beae1be8c6705cf5c3e17cf70800963f8a471a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
606e7ced5f58e19574e42aa972dbdf4e

SHA1
51571667f911a42360db7df801cae4d5bf8c5b0c

SHA256
575854b92c2c1b357dafea0627cdef30d8ed37e86dc27c13c9c712088486e01e

SHA512
d3661f232ff6b98af27f8c0daf8cad420bbb0cfaff88141ff777625a3fec3509172d1cdabeb3e20f1a1588b927fecacd08e9e0ef481c95c2f795ec86eca519ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
c7ad2f1cd81a2178f88eb599458e9921

SHA1
22c9c7a284a9ab41c33d1dde2c64da8d41494fa7

SHA256
37191af9e5f8f5a8e3f75fbaf527e6f20dc7a82ea013b82aa211857fafd4695c

SHA512
7028bc3569b48629f8f1c9b0c2bdbe6fd9029856fd83f56777d88ea608325ccc6ccb390077ae1be69d9cfa495a36595488ab3adc1d1a4f7e8dfc7bb0892a2747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a458927df7db9b9509fea029f19c6e2c

SHA1
42673663ab0c8f201fc0e55fa9ec3f0efbad615d

SHA256
f0ce776d2fb733b6825f451713ef72091429a2ae9c10f3417a8bea8054755dae

SHA512
f9890a6c65ad48f0435e9acae24f7fa97fa3471fe63db79c15c02c82ae9ce5bcf210f46950a65c13283d53278f008f92bdebf0fd0ba995d87f95d2b5c9e6b2f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
59720efdf0d369b45f6f2e4223b88ac7

SHA1
93a493da7f8a73cc742a0b542b82cd9415ab338f

SHA256
aac8e6057f47b3a1769e52f8d0ef492d3df8f687ab0268f0cf07364fa373a8d0

SHA512
bf9432be914adab645974e20eab643f3cd751a85a1b03ff5e42bde1700190bde5b18da67b3b792f9c384a1b44d0c8784da62a994f72ef2032cf30b575e6095d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2b9f744b793b086cffbaa14485bca9f

SHA1
938d7e7771dc42949123236929ca1a3e805420e9

SHA256
cd41be3f25acae60045edbefbd999527784a5e49e239b17a26fbd0738cfb49d1

SHA512
a1b99d6305cda7ee3e11953b5bc0adf530d3d035ca2c26c5fd77140a30b927ff62f59623902405d520b0e6db0cd190f6c32d1f036eb925ebad7ac40a8cffaab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21fb7f01ef32e0d5f8fa03251f457bff

SHA1
544a2cc3f9cb71aa7f34590f6ab35ec80dd3dbbc

SHA256
2eb1b6a639f1a6db78866e891a82dbec4d9e422f514c46ab52cc0bc6b5dc26ef

SHA512
1cd6ba87518200d0144d93e2f914c01deb4b9bb1895b742da8fcc9219951e9680be5407ac010b9a452483c9ddc388b1f5077712868cb2f11bb3b4ba63447ee82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03db148008a33bed96002867407393dd

SHA1
f54f47bc4183ad35030268bc962b8e235d466bc5

SHA256
f4f00be1fc984a72e3b444f05a9aadffdbd55929d5270f36540cca27c0a1e757

SHA512
b8ce5b3b0401bbbc360222e0b5be55f0eb233c1f29b35072260c0dac731fc5d063e92f546837dd9f39cb653d8a288ed664f63eecf4d05188cfb5bb5eeba000c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
471ce7c43a6c34f64d2507c6b19b7519

SHA1
c89d1e51236d1b34acadc64e8fb8e408cb3a70c1

SHA256
5b6f705facdb54b5d599f549e7c8782a8aecb61cb33902881eb23f8263c8f3db

SHA512
549ef22b3b08f6195f306ae76328f36b5f00417ac1cb26cdfe3f505e48f7f648edaf1aed47523a25475289c352fcb2f20de38c70d15109e614e2950954de8502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
313b64fbf620dba95dcc1bfd4da5c061

SHA1
a587aaf5b56b46142461f491f620239b8a028d10

SHA256
b3c23c504d9431578721ca89e61e2853ed7619d3d161b1ae8f5e85880e7ddcb4

SHA512
fc193bb802ee88af67e6041c1c7e1126ba445603c37c5d9837b1c5b06ab6530353b99b35abf271322d329fb48b3bf7cdb149394e4278e71f6aedd87b0f77635c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
76d1bffaf419fde12808da82f4b1e131

SHA1
f9df3c8209815f8c29b31e782e7c5418d2d62d9c

SHA256
e65499730f21afed892d30062fecf9d47a9b8cedfed61e9971772a7a69116786

SHA512
ced5ebebc0a20e45f7c989e02bd87c440ffe38c6841165fb9549d4ad536ae460cf03e37ece12cbcc8f53b19901dffd6b63003d814a156f5b3639141a77565d7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1aba21e5cdc9c6a5afd7e9242b790e34

SHA1
e1ae4e989722429478d8cbd4175021e6050b5145

SHA256
32889bc600010bd8bb822f1093241ec12107e581a5f93e5fe19f40f8b041f921

SHA512
0968dfcaa293f12c6cdbdc22178f2d658a688ecbcec16a204903ab6e0b9138d4eec5686b5b1284952ef44a53bd4651099fdeaf7f7db92b02a54dedb04857fa11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ab17e1ba4ddd6e3fb1ba9e934764a2ad

SHA1
20a0b4975a91c471c3615135e10ab7b47d443c27

SHA256
6ea6035fd7a8b39f511cca935ed93028ceeba6d979a1ff5188a57aca8f49c49a

SHA512
bcda2aefdadb2dadbddc533bdab83d94e9ccd726a34897e5fad087de55570650ced577b7b786f17f6bea2aa238aa3e8cd8a14da2805b67e4a0ffa98ffc9df240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
811d941a7c8dc7a17cd5003570289203

SHA1
3390543228ae1298b1cecfff11040e687cb2add9

SHA256
492a669ad24915691d1154c947f2e27f9a55b58e6b056a2d49ef7f3e51de4d8d

SHA512
d6e5ed0acf711c8b47d9de597caab1d6a192d863cee894441beddb7ad6492e1bc0378a35b330bde578ea092add2fdb7f8234e0cbf93d9998618b20285f43adcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2b98e7686a852c8b5bb3ae2521352f7

SHA1
8789faa61b2ed57d3a4f6771895961da50ff8b7b

SHA256
784c42eada9707df9f7c53d2f182693ea9e4b18653e1e00968c89274bb86f8d1

SHA512
715608e3df590ce0303a6c861e178f57f34058acbadb96011d9ac982d95ea312cce8b371f7eaa548ddde4cae696aa26d2ae17b18cf44ea2e3b6e8ae0d5a1461d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea09314f14c17fa3d8394ab90058a847

SHA1
5a367ff7e27b13ac1b30d25077f8e141aed75024

SHA256
0952ff195c8bb83b96ce4c62490ead9da77af9d56378887ea40479d58ce16a39

SHA512
5c40b3cf219f76ae36efeafa3635d8f1dd43c527ebe9b7878009ab88ef32c219f2add47e8b05745a65d995069973c1d751d21bdb43c99a3b0a59739501c80462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
11215ac2ba5a0447deef605c50e7eeee

SHA1
6035dde9abb2ef3ae6b04c4b49e129df04a136e3

SHA256
c93042b9b193466572cb62932d2ea568b5e4f04fb1a9656cf25a72916129922e

SHA512
463bf3945915697a388b4c457df0d4163b7a11aa2c2a60e375d017ae88a36efbc13ef396884815d52d45ef72f07f3767da464cbd8efbed593c45301514420580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f9f0.TMP

Filesize
874B

MD5
6e35f840065d1f3c408f4815a97fe225

SHA1
aed3d145d44c10e4a0275e82ccce5fd416df846f

SHA256
ca9c43f66debb4477be6f98a9efef25684626cc4712c9930b1c192c8c1132eb9

SHA512
e85410ae6f1ddb2257305918d18b28ff4ffa2250f93fc3599771749bff29fb23072d8329c7a46d2984e7a0336e5f76500408ed90dd750a9945f9393a1f69a842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f57e2fa2d5f6d8f929cc5f28c2b7687

SHA1
45590bf906a5c8bee486c46d6a0bd8a8b9c20d27

SHA256
e3cde218d878245b9defd4fbd1e865b81929b2c254acc52bc47a9e7469471817

SHA512
d2cdf61f0d70a8d3ef8da1c7a27c675a9200e956e6574bbd67403fa04dd4fe6f6656599a8ea383d45b3861f6ad04e60e5e666522195ae57c0445118ed0dae85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3f1c0cdfe389380eb40ba4493f33223

SHA1
8e5b6982c7547462fefcb3ebd2feb303737f479b

SHA256
6beb03d0185ef7fb921d2755dc043ccd178ad807f2434c9824185dfeaf97223a

SHA512
c423ea99b63a3894ba4d3a88b79c7ba7bc59cc542d6106380b94be5d4702a854bdd2ec12c171e4f8c767b1a1a742e6f0c190c7604d370d26cf9ac24a72d8d4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f71f80953c6c572f1c54a0039e5dc14

SHA1
91136ff68f3dc6bca8a0e81bc31fdf003bd03cb2

SHA256
c69bfcee53e23ae30570dce7d8fc5473424ebd35bf14c7c7efe61d6ef58c4ab2

SHA512
87eeba185725ea51de5249f383f9570b4693c531a14fae7b43c5d39cd79f08b36782df4a17bf87983eb5290150195b64aa8ae671cb9538f506ef7894378cf3fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9481d8d21ff7c9c87a7637a6962a8812

SHA1
6d0e7962fc2aa6f700671c10ae86659993ae6afa

SHA256
7e93fa3648212c0e80f4c53f0b079ed0245427e36e5c48bd85a18bad2dbccf93

SHA512
c726e4852c72dcb179f2bf7e97fdde2f7453c4f9742737bd44780557ad81e630f4274a2b127e4cda307683d8dd34847b40f7b9a349b5a97ae42b285c1e7d4dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
035643c04433b731cd7c548ef0e4996d

SHA1
a2f413ef7f1aa8a6e80fe7ef1adc74f23994be17

SHA256
452baa4d9c79e9d0d5602194e486780916fa51e86c55892821e95af90a47ef2f

SHA512
36a1f20b53f60f762f527be8f1db80c74dd7688eb6699c36b10fd75b37313e387033dda1b3aabde08bace3e7c498d24b618d5c3a02728295e1592883e52cd374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4570379fb04c9ee8fee070f6d5f71e53

SHA1
c5b06e1d393e4b5f51fd0d14c9f61f6310a214d5

SHA256
88856094ea777b1c73cbb0eeff317ce804d0026114eee8d181cea64978e75a37

SHA512
d44df3118b784e6a7c23a114a22caea35dabdbb76ad18b451d76e9631636ca12b4e1467985b7d6bd24a6a31a6a64acc84c71a0f86da497a22426edbf1fb6d3ea

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier

Filesize
583B

MD5
c768d57d62138688f20ece97ab7939da

SHA1
680a5bd03cc06256f1e752605f0bc3e5d4913d8d

SHA256
098a1749be8cc1a74622afea8a808524cc5102cb9a5d9d1cf69432b90179395e

SHA512
108875e37bbd5b8a64b3c5ab391cfd55012ac3572073ef744566f931757a802978d7c15a91fe7fa80281bfbc594d038049f1d1ebf356db1bfb4c33a7a8e95623

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 466826.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\WinXP Horror Edition.7z

Filesize
44.0MB

MD5
aa45d1d70efa630ee7b64bf5fd0a493a

SHA1
454090d52076c121ccf858291461805f0272d559

SHA256
0c0267932bb202aee030f44277881680dbe0f9a9387a2b1c601dad2048243454

SHA512
a1fbe8ea113fb3e4cc266f3aa50c46e87acfa129e08adf98279da2ab7dfc52da963bf7ab179fdc68e23e5bf8ff5fa3ee7e277e885f719c23e831fce714540248

Download Submit
C:\Users\Admin\Downloads\WinXP Horror Edition.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3776-1232-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1233-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1234-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1235-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1238-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1213-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1248-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1249-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1250-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/3776-1251-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads