hxxps://github[.]com/TheDarkMythos/windows-malware

Resubmissions

25/03/2025, 19:55

250325-ym9gxa1yct 10

25/03/2025, 19:51

250325-yky86a1xh1 10

25/03/2025, 19:35

250325-ya1dgavm12 10

25/03/2025, 19:32

250325-x849msvmw6 8

Analysis

max time kernel
666s
max time network
651s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 19:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/TheDarkMythos/windows-malware

Score

10^/10

agilenet bootkit defense_evasion discovery persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 5 IoCs

flow	pid	Process
23	1512	chrome.exe
23	1512	chrome.exe
23	1512	chrome.exe
23	1512	chrome.exe
23	1512	chrome.exe

Executes dropped EXE 4 IoCs

pid	Process
724	MrsMajor3.0.exe
4876	eulascr.exe
1280	Install.exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe

Loads dropped DLL 1 IoCs

pid	Process
4876	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001900000002b498-448.dat	agile_net
behavioral1/memory/4876-450-0x00000000002C0000-0x00000000002EA000-memory.dmp	agile_net

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
27	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WinXP.Horror.Destructive (Created By WobbyChip).exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Install.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinXP.Horror.Destructive (Created By WobbyChip).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Mouse	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874061382899374"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Install.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
1468	chrome.exe
1468	chrome.exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe
Token: SeShutdownPrivilege	5940	chrome.exe
Token: SeCreatePagefilePrivilege	5940	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe
5940	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
724	MrsMajor3.0.exe
1160	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5940 wrote to memory of 2040	5940	chrome.exe	78
PID 5940 wrote to memory of 2040	5940	chrome.exe	78
PID 5940 wrote to memory of 1512	5940	chrome.exe	80
PID 5940 wrote to memory of 1512	5940	chrome.exe	80
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3524	5940	chrome.exe	79
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81
PID 5940 wrote to memory of 3868	5940	chrome.exe	81

System policy modification 1 TTPs 7 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/TheDarkMythos/windows-malware
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1893dcf8,0x7ffa1893dd04,0x7ffa1893dd10
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1956,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2136 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2444 /prefetch:13
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4140,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4196 /prefetch:9
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5124,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5136 /prefetch:14
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5688,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5700 /prefetch:14
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5680,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5732 /prefetch:14
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5684,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5772 /prefetch:14
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5760 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1320
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:724
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\15EF.tmp\15F0.tmp\15F1.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\15EF.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\15EF.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4184,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4192 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4652,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5472 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4516,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4224 /prefetch:14
  2⤵
  PID:2196
- C:\Users\Admin\Downloads\Install.exe
  "C:\Users\Admin\Downloads\Install.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5864,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5980,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6100,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3296,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=1480,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6384,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3316,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6288,i,842780905817467915,14465180136938580385,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6512 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5564
- C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe
  "C:\Users\Admin\Downloads\WinXP.Horror.Destructive (Created By WobbyChip).exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1160

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
PID:1348

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2448

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3644

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1368

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5236

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4156

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
64a63b0372218dff6f7a93af1c8c2e6f

SHA1
079bb1cb600def977345c681b299e07ebfdbcf59

SHA256
c32de6bd93c4d2db912dff7b9fdc32d5e3632edee7336ea8b3b82dc6ac63d4b5

SHA512
393bcc96c7e91fc114d8aca775b6e2c21dc3b34ef3201aedf852aff4d2112a629ed666661a6882dae7ddc73ec689cbf7620b8a86170294f72c5e28d6ccd8d671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
35b12d3d798a795cd8029a107fc3a8ad

SHA1
1eaf630e7be6408b04bf238fc35e9f922f648aaf

SHA256
225492daa09364f3a57d8df5eac7b22d1f2faa904ea979df216ab8f103750bf3

SHA512
5c3a3877613eccc1f3604c89e972ed63c8bffbac7538797f3b8526942073423f9d7434c86bc4062b9a3ebad68434a4068309cfe9f614c42e2dda327e5c121b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c59f09131b9ff666eacb0dbf052155a1

SHA1
963efeff60f4ba9e137d46d121dd1d6f003a563d

SHA256
30dfe25e672da9506a7d0257fc9ca8446a53f0932f37dad55241b73c6d65c878

SHA512
557f2a037bdf0942c657064f0f367c97a1277583418f676cf514a570a21d37f94c19feceb42a3f6a1a21021fa222be131b7ac51a71b6bf929abb7afe22099d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
eff295d653cc238021d3818ff1f8972f

SHA1
31049dea352bfda9ed259fa1e43f480c014489a4

SHA256
4c1c7ac17f055647921b88ae6bcc1ee3160888c6cd52a6f4b649ba43e4b832d8

SHA512
ec9aaa8594377943673191d057785baef2fdf7729c4088ab8629cc5d32031c35bc549d8e40a2c62c2a660a7593da84a9bafaec65f3a29989b7eee509208b0a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d016e42ec80410c6ae42944fca9e7310

SHA1
aa54e94315ffd9d10c40b3d1bcd59ec8a51d7577

SHA256
bf8315551fd5b5f0fbd763230d1fa07a7881b998a33fbbfd3a4a0716cfe3615e

SHA512
21dd613937e847cb482d9c0535840856a0ce10f59fd08e57cf7c38c4b50870bb10539b2ca8a67cc8a6e0b757718cc7ddaf5ba0b3edd86569827fe3888c26f278

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
ed3a0e3189be1dd044ebc66ed6b5e17b

SHA1
0245fa31d7d0ce88f1a6a330946d1caaecf1f373

SHA256
2a7001b3efe984102178219c04078580107c70ba35ee7a9e4378eaa0fe1936e1

SHA512
3997631a94941e4a3d6c33bda3a6801cfcafdb142edc1eea2b4b431ac76bbbf84cdf281b769aa922cf3c97fa8ff875e062225762976c905c8d7649f91ad227e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
e1d5b36afd426d6bbbec3a8ee3567e24

SHA1
21ae274dc541e15dcc47af5c31bdb17e560955fc

SHA256
1806eeee97b4dfef8c35206c4bca5c613cc59d756c371535a6641525d0d63ceb

SHA512
c7a905420383ed73576edc160f24ca952ab0a97ba1b25fc731ee55c6ed5e4b88b192077a3395eefdd1c266674065b535a95b75ee001e08849fb94c560c6291b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d7d3f740a29e4d4a409f07d92499d675

SHA1
16f7db4d16865ce25b095f7a00fbd6ce198a9b58

SHA256
b848d6e9fc10a073a15aeb101c01f4effa42091b18cb5944aff80df6725f7228

SHA512
0b6f27f0dad5b39ece228ed981964330dd4516aeed176324d8c1e5c6df5a39fe20dd95a39bdc98ade291e1ae472dd880045d9a25a20829f46feee80ce17dcab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
738e445175b5105e94779f7797229efe

SHA1
b6820f0a9be9e092cc5d89f00cc5648176513132

SHA256
c3223397bf92e130fa94af851de57131c18f1ffaa152c6dd9e2824b2e1b6d261

SHA512
43dbccf19efd5839ebc33b6f53eeebd1e382520e6a08a7f22b51c82554712322c0d2d55cc82d65f5ebb91936fc6ec7d78fdf6f7270d58ac9d10174ef2c0b8c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
645cb8703d43cebea75378614f23ad03

SHA1
5c22e875cb5b0ea6128147b735dbd9836b1ad291

SHA256
fafb520023e05fb987fb94b1a736ba21581b68d81fa4c2f423b9832eb36cca07

SHA512
8a9cb9b758bab82ff3c677cab574bd440821724b18d7846725f754a6d0655eb1eb1e26562b36ef3ab88901dffc6cb96fb9ee344dbc271abf73653044748a7641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f8c5ea848f6bdd01c95a9f49bf6d51ca

SHA1
38a5b72dd7a5331fa39a74a5fbc904979217fb7c

SHA256
7a1c02827cb42e9dc0dee2d70460e9ec822e090ec9a5a9faeb51f33dc3fa1d95

SHA512
aa8d3105f1e357bce0396aa7ee133242e0d83db382a3b3b93118ee2954f90a17ac09f89cdafc09e66de82cc7d8d7e82fcb766c49c3f4d2915b8bfda8ee70d992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
bbc676952c67a408c716c322ff8103c0

SHA1
84e0e46a9f81183687ffdc727fcd78235eae7752

SHA256
1126de6c3028ac4df54ba4f21d38c5afe71de6120a79c7ca34f583cab9f8050d

SHA512
468b8d0265ba856ab297e44273e10c05cb244be18517887848bfd32927e0b0805b38f7e2309a45102dd5a16090befa75c6deae1febd01d4f9139512aee43513a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
188572fdbe67b2962c64671010c3a2bb

SHA1
6aa623bc2dcc35186ce5cabe6a0b95b3a57485f8

SHA256
ed969c6917e718143dfffa7b9ad870c9ab5944b2b2f41087775cf5382e38623e

SHA512
8c1d1f012ee850dc69c837ad515dd5a5f4e0e689967412b0c747ddc03f6ef2ba819a809d55e2530674f88b3dd2684bad4f9df5575b8d33f2e732e4441e386b30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
803e65fa9d1ec9a590c89ab2745d71fc

SHA1
610fc2ce3c7493e21202ab26834a20b3c760d5ae

SHA256
e1d01f0a6b36d125a2fc00fd37229f49ca6d3a22662e2b60b43dc373fa744e26

SHA512
30c886d635bb3d7a99038ed7c93fb13af9e0c599f9af38ec532c65dd44f9a347c8ac50bf37f0fefd2b0c3f6e094c6fac2de96883d7f1c4de4b4ec96310a61b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
624d644b2a82c06ffe99fc3a4c75d382

SHA1
14ef150d3f73e32a98c68a4dca25a4c8a7a174bb

SHA256
bdba3c510551bb5d002000a32434c90fa32583fec2103120f7c0a4731194db7d

SHA512
c39a397265edf0245a315d53b23aaf519a13ee9ec720a270324e5ca8890eeb0459521865696a6ba903c8d837a689bb941d41750bb8e5879ca529233f698645b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
28508204aad5a406c084be9a96a93c40

SHA1
cb13e37cba770a5050d89c27f3c04f4db8e6f895

SHA256
cee05d90a7bbd207989ae61b0e9611f77e80ab6d5dcac3f0d44f8488cd854d9b

SHA512
8b8a7b665a173c6f37378cf99fb668c34e53727e5a5d2562fa724245919c786268fb9d36e83bad59305b10d2a49550b5c349d31bf64b09538e63bd2848eef31b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e6ab3adf94f1957023956c779a969b61

SHA1
b42fb003820ddd253ba8958ab5e431eb29518494

SHA256
f767e75adc36ed64603afad782a3e707245352cfb0ca0288aa042b079c843241

SHA512
9fd2cbcc1e3fa25799eba2ff47cc08a40744b6e87608b8dc0564775796b42c45461b792826214a885ab3c77f0c92835d5db843bec6ec2c11dee8a4bee74999f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4b510910f8293faf50b495f1b97398f3

SHA1
03e0ca909dc5a4df68d70c288b44cbd5acc34542

SHA256
2a1f8b8b734f56e03dd6880276afeb89e9c678ad69d487710b9e1514c1b3f45a

SHA512
867cd52d260470d9e48fd65c16d42640d985e825d018272083e93f153fe7d3c2dfd2f6f9d25dd907cad5707c73c13bc72d0e1988bfb67b594853f8949726c9e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
74f808b7f8dec4446508d3985470588e

SHA1
6e8d11ceec81c4d1d1bd34354517dbbcfca31ce4

SHA256
c3d106ee2b7a848d00f2a992ef610d633e81bf7fc0744706e3b0b960b84a2b8b

SHA512
bf0d2c63b2470e1741a0245de60599c3acb10601e4baee5329c125acbde1dd984b7b6f8fea309e219befb78e7db580887b2a98292d023b46f2b6164ce310d30e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
6c84042a9a2ae1f766416053ae89a075

SHA1
baa7bb5b04fac0f8ba959a316a6bb80c98451d0b

SHA256
96bfdd16b55cf3637e22e735e0f375b6c91c81d8ad33a99489e1d74b7ef984bb

SHA512
ef6d86bb46c76495e61f101ea56e72c59df9f1ce026887be02602d1c1025c7a306bf490c8af41662ddf6418a9f931dae580cfaa4a91526b4d70c26407be9a0d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ec8c8fa61df3709891b5b98392165011

SHA1
73d002272c6d8229fb338a9384c9b24d7cdd3537

SHA256
673f1f50c9b007d99cfda879323c9f5a8a612a4cc61447a6d00726ca54b92fa4

SHA512
87840773565ca0e764911efa8056c357d9ad6025d8b6b7fbd243183aae4896bd7d83e69ffa31a0bab568a51715656006fa2b9f42d8ff7dbb40be74992129f151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3bdf5702748324cbbb9b1817d884747a

SHA1
0a706177f0554c1ba50820b5aa072854d280155e

SHA256
196b2f5e0c530657ec492c51644c1238ff8d56c7c336b807dbbc546240086a69

SHA512
1dfac2315fb65e8e43a8f047903128d72c0507a5fd8a6349dacbb9979c705a287aefcfabf3e3e7b64ffcf86382b45f8f4388417dd8f65e470bc7e55a98038877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c6bb.TMP

Filesize
48B

MD5
270565fd90e6118c6ad8ca79ccab4ca3

SHA1
ba9965f6dd7f36488fdb3b3f26d85c3a3ec6b623

SHA256
6f8d57f9da30c67563ce29c2a376ec1816df6597e098755fdd17225238ceca48

SHA512
906793623d481de4e86fce4dd72691149423d8d3939ec2381b27f386279ecb1ca369a5085fa9538505e79f996d7b968c189f7d781806ea09d03ec21b3072cdb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
140B

MD5
51d00cfa000836fb170e2ded277040bb

SHA1
85e005663c7bf8910dbea888af71a7ed104d768a

SHA256
a8f0f53714e698ce4c5c9ce5d635dd99e5651d0097e70f12cf078b15fca1d831

SHA512
36b8b2415efc9616b04452d26713aacf1cc76cd7d173da0532e34629e3b8e73acfa8b73a43012e9c866c9e91cccfe5fce9a255df5d789a4ce41d860fd548b176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\294d28df-5916-4eb6-ab78-950599e84fd9\0

Filesize
27.1MB

MD5
5ef2e49f5d4e74c76b1f093b864d3813

SHA1
675cacc4a42032faa07ead0aa8714984845b1ab2

SHA256
d82bad666177f682b3e53dc3fe2ff1a2976de1d832c731dab2be46149f5ae50d

SHA512
e49ca90e95592ed878b8c12e1e7039d45c7c8b4c688a27e2b00629fc0d7107910edcdf7181a5ca0d61919667dbe53c9865ea3748a662c96f4c0e99b1543a25c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
805c703e1d191b2c5705f231eb84d815

SHA1
868861957a7e244dd291af69458d9bdbb76f82c5

SHA256
bdcbf42193ef39dd2e609989f812402da27226a1120c6761755a5978fdbea4cf

SHA512
97e592310b99d3a5cea2e583c076aa218ad82f43d4d7d735ee33197ada4c41ebd964d190cd3116db2889d222e70c435753532c64aa9c746370eb8a2135f94ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
4a155fabfcec05b1e573f25254f9fa22

SHA1
7ee0c4d5c2acb550445a775968b1a5633f873c84

SHA256
27a072f51a2754ad361d42d3a501f3d3bb11bb21710cb6410adc03037c830adf

SHA512
ffd6233092fcad01a9841dd65f720a0f3e15deb2683d7ebd42538351c5e11f64060147ae18e57b8f8d7108dd0096eda9008fbecf81986a86ccf4981e0bacfc3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
fe58063dc17ed2d61dee21d268411c15

SHA1
4709a113a448e382414e0199d1393eeb67fd90be

SHA256
45259ad22ab40d14eb862509d6dd311328543de44156df11d71081562bea7eae

SHA512
7ce8b8ed41378c6f2b5447c61fe5b419addeb337f92a99c81f8e7ddbd2ccc4a044f6ef060ea9b9112f5371238993d68c91be65d28df0f09127cc4ff6a701abda

Download Submit
C:\Users\Admin\AppData\Local\Temp\15EF.tmp\15F0.tmp\15F1.vbs

Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\15EF.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\Downloads\Install.exe

Filesize
48KB

MD5
2949c1a5ed0da748d949ac59dbc15059

SHA1
9fa86b84cba147b2806f4e11dd76f38dc358c202

SHA256
2e0b86cba229e27b6eec45751be45b24f9197cdc7b2eca30447112f917899d0a

SHA512
65eac714afaa0e7e84a41a18dc710b233afc80a03022e4504b3a30fdc5a82dd22f3ec78e2f5ad9df360c0e93f7d06d53b7a638fbaea93d62093a524beb627a66

Download Submit
C:\Users\Admin\Downloads\Install.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1160-962-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-963-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-995-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-994-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-993-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-917-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-927-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-934-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-941-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-942-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-943-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-946-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-947-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-957-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-958-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-959-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-960-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-961-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-992-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-991-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-964-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-965-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-966-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-967-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-968-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-969-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-970-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-971-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-972-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-973-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-974-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-975-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1160-990-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/1280-565-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1280-526-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4876-450-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/4876-457-0x00007FF9F3720000-0x00007FF9F386F000-memory.dmp

Filesize
1.3MB

Download
memory/4876-458-0x000000001CB70000-0x000000001CD32000-memory.dmp

Filesize
1.8MB

Download
memory/4876-459-0x000000001D270000-0x000000001D798000-memory.dmp

Filesize
5.2MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads