hxxp://google[.]com

Analysis

max time kernel
265s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 07:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

bootkit discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

gdifuncs.exegdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

gdifuncs.exegdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

gdifuncs.exegdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe

Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

948 takeown.exe
3036 icacls.exe
2260 takeown.exe
4220 icacls.exe

pid	process
948	takeown.exe
3036	icacls.exe
2260	takeown.exe
4220	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 6 IoCs

Processes:

mbr.exeMainWindow.exegdifuncs.exembr.exeMainWindow.exegdifuncs.exe

pid process

4212 mbr.exe
3744 MainWindow.exe
3888 gdifuncs.exe
216 mbr.exe
4912 MainWindow.exe
2928 gdifuncs.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

948 takeown.exe
3036 icacls.exe
2260 takeown.exe
4220 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

142 raw.githubusercontent.com
143 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

mbr.exembr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe
File opened for modification \??\PhysicalDrive0 mbr.exe
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe

pid	process
4212	mbr.exe
3744	MainWindow.exe
3888	gdifuncs.exe
216	mbr.exe
4912	MainWindow.exe
2928	gdifuncs.exe

pid	process
948	takeown.exe
3036	icacls.exe
2260	takeown.exe
4220	icacls.exe

flow	ioc
142	raw.githubusercontent.com
143	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3968 timeout.exe

pid	process
3968	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3264 taskkill.exe

pid	process
3264	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

Processes:

gdifuncs.exegdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{02572D00-CC10-4236-95C6-D95E3E02CE03}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exegdifuncs.exemsedge.exe

pid	process
3168	msedge.exe
3168	msedge.exe
1804	msedge.exe
1804	msedge.exe
1824	identity_helper.exe
1824	identity_helper.exe
1932	msedge.exe
1932	msedge.exe
2252	msedge.exe
2252	msedge.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe
3888	gdifuncs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEgdifuncs.exegdifuncs.exe

description	pid	process
Token: 33	3808	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3808	AUDIODG.EXE
Token: SeDebugPrivilege	3888	gdifuncs.exe
Token: SeDebugPrivilege	3888	gdifuncs.exe
Token: SeDebugPrivilege	2928	gdifuncs.exe
Token: SeDebugPrivilege	2928	gdifuncs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeMainWindow.exe

pid	process
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe
3744	MainWindow.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SpongebobNoSleep2.exeMainWindow.exeSpongebobNoSleep2.exeMainWindow.exe

pid process

1576 SpongebobNoSleep2.exe
3744 MainWindow.exe
4164 SpongebobNoSleep2.exe
4912 MainWindow.exe

pid	process
1576	SpongebobNoSleep2.exe
3744	MainWindow.exe
4164	SpongebobNoSleep2.exe
4912	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1804 wrote to memory of 2208	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 2208	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 212	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 3168	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 3168	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe
PID 1804 wrote to memory of 1580	1804	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gdifuncs.exegdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffa712346f8,0x7ffa71234708,0x7ffa71234718
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
2⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
2⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
2⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
2⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
2⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1860 /prefetch:8
2⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1912 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
2⤵
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
2⤵
PID:968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8E51.tmp\8E52.tmp\8E62.vbs //Nologo
2⤵
- Checks computer location settings
PID:4600

C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mbr.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8E51.tmp\tools.cmd" "
3⤵
- Drops file in Windows directory
PID:4456

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
4⤵
- Sets desktop wallpaper using registry
PID:3668

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1984

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1552

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3620

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2276

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4164

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:5056

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4112

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:448

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3540

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1904

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2400

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1960

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3972

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2336

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4152

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3536

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1372

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3116

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:32

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2856

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1984

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3620

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3936

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3120

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:516

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4892

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:448

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3636

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:5040

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3648

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4496

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4076

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4348

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2336

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\8E51.tmp\MainWindow.exe
"C:\Users\Admin\AppData\Local\Temp\8E51.tmp\MainWindow.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Users\Admin\AppData\Local\Temp\8E51.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\8E51.tmp\gdifuncs.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3888

C:\windows\SysWOW64\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948

C:\windows\SysWOW64\icacls.exe
"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
4⤵
PID:4848

C:\Windows\SysWOW64\takeown.exe
takeown /f LogonUI.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2260

C:\Windows\SysWOW64\icacls.exe
icacls LogonUI.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4220

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "tobi0a0c.exe"
5⤵
- Kills process with taskkill
PID:3264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x3dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5) (1).zip\SpongebobNoSleep2.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5) (1).zip\SpongebobNoSleep2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DAD.tmp\DAE.tmp\DAF.vbs //Nologo
2⤵
- Checks computer location settings
PID:5024

C:\Users\Admin\AppData\Local\Temp\DAD.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\DAD.tmp\mbr.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAD.tmp\tools.cmd" "
3⤵
PID:2504

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
4⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\DAD.tmp\MainWindow.exe
"C:\Users\Admin\AppData\Local\Temp\DAD.tmp\MainWindow.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Users\Admin\AppData\Local\Temp\DAD.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\DAD.tmp\gdifuncs.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
052d9a585075cd14848d93ed7146327d

SHA1
f9ceb7d71fc552d23d4ed70fe5d5033f19985564

SHA256
951573dda35d3f2c4713e0eccb4801ef5cc767232faff19c7a743faa3733557f

SHA512
baa8db9de2d9369ed35358665e5fc94c64e4017ae166eb9814797bfacf4d96a14c8563edf69ea21b75b968446fc531eb9c5eb9f6adef445034cb1ae6caa998b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
cc76ec76ae376ed9c06fd446d799ed52

SHA1
b33672cc4486486d879ed77db75b4d838185fb0c

SHA256
e0b4e096d62b4a9c6c45ebf1eabc2cfd38141eb9d36c1e5c013da16073937293

SHA512
28c02d6c851e18b01be7cb741937b3640b809e6806e8e422a087bffe6b4b2c25e2b93b013ef79cdc3b44df6475518ca942db15d892b819d06906c754cd3cec4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
a656172ff597e05d9ac3c641ee306af9

SHA1
d970fd55db460a64fce74c69c0a31ba60cafa164

SHA256
134209c6391666f3f3ca7d11b6b851498c55f173d3e00334cb3a22b37fc12f32

SHA512
a045e4b63c8689fc975624774dae0b2aa5cb750cf147e167de435c7d8344f050ae61e863a8b5cd55b0ade689a0bd072ac7453dd55fae9b0384c9c3c95f68c6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
2f67076bc563405039809b9fd4ec9b8c

SHA1
5c4e6cabe65285a3ca524c147abf7058d9770f1d

SHA256
64d5700b878b90dc00aef5386a8b17b6710a93c41095cb878058ebbaea46c6ee

SHA512
15b82ae2872d190f797b7f7b1d360a19d8d6897c3ff2b9501a60b7a8c1aac756b4e09f7bde964061ce901a0f0367ba05a9deb436e0a79ab73df09b6ea0788ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
055a93125ebccbecf944fc2a403157c3

SHA1
c2f90ea1c942ede79d9d4850fedf6fb332d3732a

SHA256
4bd716ecf8734ada3978c9d3809c5ed68203d1f29a1e6b2a6724dc2c045aa169

SHA512
952ffaec9eb07c732292d03337e681ae6f120034220be84a608718388489edec861078068cf43bfd5c940e2c9374e8e0d81adbc0a17f08ca807ccac792ba8c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9cbc74b293c6618edc53bce5df64ec74

SHA1
fb78d65183b48a6d1b145135ab5b8577d13894d5

SHA256
a4d91d512c9645f13832de0a38ddc8fa632fe8b59efda269c52017f9073b3e7f

SHA512
eee78235169267e1e04c4a96ac1cd11fbffeda70a132b5bbdd25f31587d2105618f5a0851acd2d269cc257fbda4b51de47e04eceb8cf8aaa741450071adf8b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f5cabef555ad5f5eded6cf00701bec29

SHA1
1da90111ad511087371ba77d675b14c0bea11224

SHA256
67e5caee4239defb0b5b4a1aeaa91f83bc43579edf8706691483c89ca2fc8a5e

SHA512
225e7d7d2727bec33496fc0369e1351f7635ea2db83a25a70eb468a1335493a8f40ac4d6ad4e9a7f7f46166001e38f6ebe34e16a44fb51a2fb57ffcfa7d9343f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
bcbde00994b5a56804f8da0877be5041

SHA1
f577aa38561978a7212518212a3e3016d551a5ea

SHA256
4b9d9e1bd9f08ac017076b68f619b6fec8ca178b9b79363045d0d35f008819d8

SHA512
b8a028267c85259c8b5572be666567069c7ab4615942f7360fcc5f1246e74243c0fa281d2eb3f1884e404d48b9515461a1185c018663b4786e3fe94719b3b0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b79ddcc0a93ac63a0c44d0d88b002498

SHA1
15edbc82e1b2d3db75ab38581675ac81fc5b3358

SHA256
2fb5fcef53bf9f546296156bb4358cbe3636c90f059c61ea02393b74ef82cc54

SHA512
aeb1002c97c6c31f1bfdd8fe47f6259e98cda9b917d96cca0b54b9456593113a1e03922695a7254d340c498b6a845038d228fe2772e0f312324d486a8ee00a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1b235106d7da71f25c5a0ed046cac9e2

SHA1
6374ab47aa66b0b48f975761faa957a76ac8447a

SHA256
08a9301cbb928b169e3e7e39fa55f6f586385dac3cbe5ccddfb772aff78f742b

SHA512
9fd0a23775aad1fc8bf64deb382e28906da3ead3ba102562dcc21211638fb3a4e5b34e1b41a5383dfb4cad893335ab2d69a3a0afa2a174731dc530e705f8e6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
de67c74ba1709ffb8305054dab334f2f

SHA1
c148b090f19d4e6d98dcdc2c19397201fa006b5f

SHA256
52228de725260cdb0f41bec06fa4280a2f09ff3d8b9395201821e973c0332a54

SHA512
a9e70b8e0656fb8365935345741822717fae1c81ac6be9ff5bec771dc688d6bb635733b1fd845d1e80c15ac066b8b5d4730db64fba16d83eb2993578f6173678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
65759b84a6cc224030488e634a80d8cc

SHA1
f218f18e2760a403e122ca196b862ed0c80a921c

SHA256
885c76bba681cc0f1f0075a60cd842f16e9f3282ef5e002f5a90c1afb36cfcc3

SHA512
f4709c27cc071e1ddbce92d44ca9c11a21fb27d88f85c7c1947df513be8558d06c01f8f6d47a61221620cb561f8d3f219252e0898479f2af6b762ff70912c2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
36860ee684115b70f43c603b2c9952be

SHA1
ecc04b5ad48821f4386df7161cfc2bc6cacad645

SHA256
4d60607f4a819307481031a88dfb181bd1919a118aa7a3cc455c19b6e9f340ba

SHA512
52221ccd677078c53f2ff82fd452a0e25f347ce6765cdef8464fcccb119179f9a84b54b11cb208760b6700e11daa3a0dc652157e524b989f0cbae20b49dd6595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5836bb.TMP
Filesize
372B

MD5
a757209b70184c0a18acfab268df0a5e

SHA1
8b65e02a18915db8b30958ab51ea25637268f9ad

SHA256
6a54effdb916d34323f4f3201d2a211075e50534f1704d484577eb42ef420090

SHA512
837316fdbd59064c7eebc1697c896aab9b88bb83f9c110309273f37da8645dfb3525814d5b2cca598e4d302dce2c74ace94980973fc9b9ef304bb743ccfe55ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
05a7819467f1895517f8292488d168e9

SHA1
dd221b7d58353a27c8896665f5e606355a9843a7

SHA256
6cf5f84c146df380a2d89da7dcd450b1dd1ab2894c57c6b7018dbf20b1fdcf7d

SHA512
8e079d8a6b16c750ad1df91bff43a25f65ed8ed895a3f5af54a066460464342eaa61f634af787156e2b391ff1419e4875d34254f56a9145a0c9db8d808fc0999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9a65cc8b7008d2b7b14a3c656b01b61c

SHA1
6329c0864f4d836eaeb254203b1d3ab6cc23d81a

SHA256
fa2ab4061bd12727ee73462227e7a480a2bc7ce2cde853df41e516e8fc1511f7

SHA512
144f6787945eaac2fde56bc98a1e374841d4d6bf2162f10eb7d0d01c00dd32e158735ef8aec01980ffef2473f35894381aea68b8841dcc4448998d3505c4d1b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
072f8cb1adb50f94ec208a7dd2cab4fd

SHA1
65af598a96db6343e9cd7f0fcfb35a861b152b40

SHA256
a7eb1bf5be00a57e9a4215f93f2a3e917d7847fca4d646b57c5746678a4fdb62

SHA512
8cdeb8910a4a323f228a201261bc268d99e9799a00cf543bc5c6642910c916aef5cb10c10765929fc63422123d365bdcad26764755a489ae44779ec8f3e45a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\8E52.tmp\8E62.vbs
Filesize
2KB

MD5
b893c34dd666c3c4acef2e2974834a10

SHA1
2664e328e76c324fd53fb9f9cb64c24308472e82

SHA256
984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc

SHA512
98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\MainWindow.exe
Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\bg.bmp
Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\gdifuncs.exe
Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mainbgtheme.wav
Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mbr.exe
Filesize
1.3MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\tools.cmd
Filesize
2KB

MD5
397c1a185b596e4d6a4a36c4bdcbd3b2

SHA1
054819dae87cee9b1783b09940a52433b63f01ae

SHA256
56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f

SHA512
c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_52E6AF5AB5714C24BE3D1D4314F2B7DE.dat
Filesize
940B

MD5
8a463cd98ccd985254c8776738cf9bd4

SHA1
236b1e465f1b9131f3d32735d163b2b83889f64e

SHA256
e31f5cea5d725330e38c69e91b6744dedc7115ea53bb275920560ea5cc5f53a9

SHA512
20c7be30e0b21e7a338837439e7b274193cc9a647d9e97c8785dcafad1578a83169f4db0c292cebc74a0675b391321f8aa04b317d7bf20f76160f1ad98b94f36

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 6.txt
Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5).zip
Filesize
9.7MB

MD5
914fadaee197d1f71082a7bd95e042e6

SHA1
3356ffc83b5edb82940a04ce067d9e7ae7fd248c

SHA256
07bb2b15e3e6a2711ab2290c1f4a10f89ce193657e64f4e92190b7139ffec6ac

SHA512
b9aa1390283b3003b264531ed50edeeae1922f25dca5fce0bcbfd5b72815ef7040fa8c024276e234286b76f46a4c69292b45b8250679f686f329ed9edb042026

Download Submit
\??\pipe\LOCAL\crashpad_1804_MSGJEFROMQQNOAUN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-1237-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3888-832-0x0000000000EC0000-0x0000000000EE2000-memory.dmp

Filesize
136KB

Download
memory/3888-836-0x0000000005EA0000-0x0000000006444000-memory.dmp

Filesize
5.6MB

Download
memory/3888-837-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/3888-838-0x0000000005DA0000-0x0000000005DAA000-memory.dmp

Filesize
40KB

Download
memory/4212-797-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads