2b6d4cefa77ae47c33bbad9dba1dbce9f83a83ed31a0fc5039d24b2c649a7dca

Resubmissions

30/03/2025, 21:06

250330-zx7lqsxsaz 10

30/03/2025, 21:02

250330-zvd7eayrv4 8

30/03/2025, 20:49

250330-zmf12awyh1 10

Analysis

max time kernel
73s
max time network
80s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
30/03/2025, 21:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MovieDuels.x86.exe
Size

830KB
MD5

e0f676512de7503cf559cb1e5212e7e7
SHA1

6a19ca3de64e3d3e16d160d9b3f10a9019302660
SHA256

2b6d4cefa77ae47c33bbad9dba1dbce9f83a83ed31a0fc5039d24b2c649a7dca
SHA512

b31185e3a5af2421382d56b82c7329c092a5287005be3667638acb7c2ccaabe5a89c10695ccac97406e72bc1d52ac6865e9b0a84437875d8abe35f65d5fb60fa
SSDEEP

24576:hHKxoUWVvBO9Pw0JivckQxgiKZj3z4wBpdwV9RNdJB5nS3T4+LX:hqxnivmAj3z4wBpiSTRz

Score

10^/10

defense_evasion discovery persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\first.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\first.exe"	666.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\first.exe"	666.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	666.exe

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	666.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	666.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "p2settings.exe"	666.exe

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	666.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processhacker.exe	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processhacker.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe	666.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\666.ico"	666.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp"	666.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\666.bmp	666.exe
File opened for modification	C:\Windows\first.exe	666.exe
File created	C:\Windows\666.bmp	666.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\death.exe	666.exe
File created	C:\Windows\first.exe	666.exe
File opened for modification	C:\Windows\death.exe	666.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MovieDuels.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	666.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "4"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878424410714456"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\666.ico"	666.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Malware1-main.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe
1828	666.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1828	666.exe
3456	StartMenuExperienceHost.exe
936	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4852	4700	chrome.exe	86
PID 4700 wrote to memory of 4852	4700	chrome.exe	86
PID 5104 wrote to memory of 2280	5104	chrome.exe	88
PID 5104 wrote to memory of 2280	5104	chrome.exe	88
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 8	4700	chrome.exe	89
PID 4700 wrote to memory of 2120	4700	chrome.exe	91
PID 4700 wrote to memory of 2120	4700	chrome.exe	91
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92
PID 4700 wrote to memory of 4004	4700	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\MovieDuels.x86.exe
"C:\Users\Admin\AppData\Local\Temp\MovieDuels.x86.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffa7eb0dcf8,0x7ffa7eb0dd04,0x7ffa7eb0dd10
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1892,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2228,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2248 /prefetch:11
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2360 /prefetch:13
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4196,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4220 /prefetch:9
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4812,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3172 /prefetch:14
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5004,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4988 /prefetch:14
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5364,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5236 /prefetch:14
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5532,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5540 /prefetch:14
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5280,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5748 /prefetch:14
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5772,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5896 /prefetch:14
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5764,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5604 /prefetch:14
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4544,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5780 /prefetch:14
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5588,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5608,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6288,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=228 /prefetch:14
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6296,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6324 /prefetch:14
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6284,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6364 /prefetch:14
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4648,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6424 /prefetch:9
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,2675300216799274319,8509946277175224972,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4676 /prefetch:14
  2⤵
  - NTFS ADS
  PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7eb0dcf8,0x7ffa7eb0dd04,0x7ffa7eb0dd10
  2⤵
  PID:2280

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\Temp1_666.exe malware.zip\666.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_666.exe malware.zip\666.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
64081be9c66acf2e17f99ce23fae1f20

SHA1
fb7b4d29af471a3b523359e4e0263c5a6527ed11

SHA256
900edc227187f0a2b991c5eb94c879f18fbf9da19a6fcca5742115d7c86e6dbe

SHA512
7cfbfbd227ee9b284942ccf888fc6122a5784d701d6a63c05ac17141a5446f3f2ae43b15fed7b0c54c48db0fa7bb6a4934de45378112d6a9f0fd5158db556878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ca7d7377111755af572b86e5732d3293

SHA1
7ae3099f3f6f228c5b267495c9c476a52ebbc5b2

SHA256
f31c1b49fa40770bc596704cfc3d4d0a3dd8f4d295647282ed568c55419427cf

SHA512
1eb7818eedf77ea1f7aa20a550204e403b0c0f343060b6624c1b9c70891282ed5d3062502d26497dc6ae21ff99401b6d02f6d6ff2d36cb0001d9e4d98a7d08c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f14fa1f2d07f1c8294effc95eea550af

SHA1
f0ad0c8ec823ca689990cce85bfcd3d179054832

SHA256
4c9a29431289642be13e6907ea6dc5cfc8693543925b0ad7ca8fe432d90ff0e6

SHA512
e1761f06a321027780dfe9b48b7d3dd3c5fe39aaef16bb9f82af36e6bbf4a95b6b729a617cef03095db5d2ee693ad886834d89a05de2e966b072df83bf42ff6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5987cc1e-a1d9-4323-a450-4c817d893358.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c4a37428b84da2932dcf7c2eff6ca2fe

SHA1
5812893a273a36d836166b46550f531987c1812e

SHA256
6c9b1d0eda2cef000f8238dd2f1e6f9c0180080d008feba5fa42e0cf9695c4a1

SHA512
b85546f49db39cc2765651c0739c4e2a9ef1f1191b90a0a205c24b43459a9316c090935f3d9dc6a39cb329db09d9b1af2216979655eeb0741b47a5dddd394505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3b8eea01e3e38b44900940d40f18ab97

SHA1
1d5cd8214d063121735066e261f5f927f473475c

SHA256
d40c52fbbbd946346768f90accc1f1fcfcdf479201fbbaef3f578deb313eab8c

SHA512
8e977bb4bc266587a41608d14742a3d3debe60c415bd57447df2c96f3eae7072b0ecd5e475f988470643b9bf4b664037f3086e4bd48acf2f2e94045e9cbe8295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
88c100998cf9d60d29630a7cb9bba6c4

SHA1
d72cc15027a9e3ce38786b6c92f193b5f859a2cc

SHA256
0f56d52b088de892638d2434d0d00f155a7a28450e2692861cdc9d8fda483b7f

SHA512
ff1e9fa5d49c078f72316871b81348ccca408977746711a155cf6283ed2680d06788473ef6ccf1fae425b97ef906e671c72cd32a624e74fd52944fea5fe01aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
78b8e6d96fcb114fbcd0ae859f4b27b0

SHA1
1e3c72c26e6cdb597682ace1f217e20a1fdd9ea7

SHA256
e863a76960e4a573d2f34834bef682f68d7162fd9d55733ace63f089101a67d1

SHA512
57c7ee3b39708590cae25a22f2f2890da46d030749a3c85fb0ed1f6025e9dbc50841a817ba64862f3bb24954ddc715e91e0f27a8405708c5fa4f91469173397c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
35b680ecdd2e7f48a66871c4e3623bf6

SHA1
9a03e4185dbcfc50f26a67c58358269d8139c57a

SHA256
606856fabdc54eab3bbbc9860c619394c664c9f76ef63496a8a3cbddc6547126

SHA512
73bdc3f3c115bb15b571b711bd7bdb8e7fdd6cf585e9a42ddd06fdde23602b323d872fd9622baa24b1c4cb52df9027850140ce5a81dcc13d3d7fd8072d60b998

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
aabe1e4b5665b9c8551e4d8a7086bb1a

SHA1
06fc2c48a4980149f207c3015f0432ce14943d43

SHA256
e9fd704600eb5277c3cded03e9c4983c596bff8db032e0917fe9621c4140e19f

SHA512
1a6407ce829b2805a3b985389328a5c75f2a8c117be4d37a4b25aaff753b63239f5a1eec3dbdcb535b758602a716463159e46a24cc2622c81d18b5df02a843c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
999754e01adbb7f68557f116d28785a1

SHA1
b2327e608b49990932cafe918a9578a78c372d80

SHA256
14d27ebe5a5b49f9ace26336092b5f66463449a48ab333b649150549dbe8cc93

SHA512
57d1c8ac711e8f99c24c3d90d8f2e6c9f3a9f1e3d787f569607dcc1a1f99892ee5c4683447b8c64b691a3b3e62c3e220d991da7ee6180ffed162ff4c1443a814

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
deb961b0d15f337f949fa05c4284c358

SHA1
d6da01fb51cee418730c8dbe918ab896e8072393

SHA256
61f56aa6cfa2270cba2689f13055ffe4cfe556f73290a25e18f0448bf1e07fc3

SHA512
b08e3937fe62de5e4a524d6182480b535a31615a0de512ea737b0d64ec4492861b162ca21f7baa81f0811825512db2f6dc52ee0d5d682704e71cc4e3352c56c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
61cc29ff1ecc39dfbcb494f60bff2d3c

SHA1
7c267c80595f53a592d3c4ea7d7d99b1f2182dbb

SHA256
78750dae1e71d605ef49969b5b215d67e908d48282f4c70ad54aa49286af1c51

SHA512
eead8e310ab649412d8edd3ff6a7557bbab1b674ca95f3f1be4b0ba422019f4f5c85e51bbd6512e409b8d2a0e5594c6e2120ba7380f8b2d21e7826fcb8089e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bb51.TMP

Filesize
48B

MD5
1857286a3187400074454fe8fe93ac03

SHA1
e86471d021b39f03aa6930e5e618c410576e8658

SHA256
bab44b96d21f2ec971304a854188bdfffb0b95384b9b96c0bc4d4c2e589156ce

SHA512
ca5cf13cc1f254c68fbb03628251af02fee61631c513cc25ab05fe15c824fb6de9cacd7e46e04f32e57a33f8dd8047c4827591dc902e5cf19c4af66ba0a9515b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
11157f10aa1b98b5dd052b57a328a506

SHA1
80f102adb638144853bab63496fcc8c4314e27d9

SHA256
3746e5e5760b4ba6d03c08ae30359b0528236d764bb0fd89e1f5c2e14bb06897

SHA512
164f382e6bd16ea5ab6111d5d28ba963cd4b5164fd8f08477530053e67ba240d38edaa04a0a69543ba78a99568d8c545994d72c17ca0264bbbc0faa8005d0bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
de2ab714cf56b63a1e56285cc2a44222

SHA1
7d15d294e2ab0bcc30ee5118795c522ee5f2698e

SHA256
9e5bba53dd610d7c2434830c3f2e6984d00a82d49ab7318ee33666923b5a82c4

SHA512
c7c19f57195f575924ab8843c9e614a7a6383b6b50ad146d25a819fd0e51e9ca022333419d3f1a1a796ab693ae0721409727b2afeb08cfeb3748dac2efe99619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
6e6ff69cc65da1a70642c378ea0d3c53

SHA1
7dd1823fa763e2901fee41b94a80d062d5f56324

SHA256
23eb5028a3ea0c18b83016e9bd9813e3449f832074f288c30bd7fd06916f1dee

SHA512
1e349bde8815a1a4a94e8683f1c1876028aa0e678d3f6263da963032d10ae6e3ed7ae142d86fc7ecffef8c1c11b28cac1ee3eb2802cfcb83340ce6942df2f958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
b6f26eddeeec4d4aa62d71ca3de12d2d

SHA1
004512e6067470a1783b4f0e3c335c44be10dd85

SHA256
e28088713263a766f7255732d71daa0a25b844ffca1fb929dfc13fcc35a914bc

SHA512
a577f66ef57599a7b9dcbde5ea9c48e8a2e576f50b950a3af9c71f07ad628373cc7caf867045ecf9b5384cd2d9bc94d4a21e8323d3ca167f582bec81afbcdb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4700_688766808\41711d31-1ec3-4780-8f98-40a580b96ff0.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\Malware1-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\death.exe

Filesize
2.5MB

MD5
f3346cec01e6868ec4f593e7169dec18

SHA1
6edc85958c45aa4d27bfa604b507fd032656dfd7

SHA256
a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c

SHA512
a4bef1622a434c19329e9d8a26b93687bb5b5658d97d071817efed856c6156e997970dea29cac81b5d45c48d350b6546ca56c2290b919187cb9094e8632e366f

Download Submit
C:\Windows\first.exe

Filesize
682KB

MD5
4cb1f84904af2dc04d8608ad00f8ca1e

SHA1
deffa46803104931299d35c93cff59f8aa8d57c2

SHA256
37f99309053d3b0adce6bac240249f0390c6370a7b1f6d2099b7e838f6df91b7

SHA512
e8c2cf790c4ea089b4ab907607e22c8dfd456b6f9ec8e90ec2df7be0f54d630449f3704b86e3a1e70f16fb56b72bb55ad55cfd7e6c3ba31bfd3015b412ecea36

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads