Analysis
-
max time kernel
265s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 07:31
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20240611-en
Errors
General
-
Target
http://google.com
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gdifuncs.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gdifuncs.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 948 takeown.exe 3036 icacls.exe 2260 takeown.exe 4220 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 6 IoCs
Processes:
mbr.exeMainWindow.exegdifuncs.exembr.exeMainWindow.exegdifuncs.exepid process 4212 mbr.exe 3744 MainWindow.exe 3888 gdifuncs.exe 216 mbr.exe 4912 MainWindow.exe 2928 gdifuncs.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 948 takeown.exe 3036 icacls.exe 2260 takeown.exe 4220 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exembr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Drops file in Windows directory 4 IoCs
Processes:
cmd.exedescription ioc process File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3968 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3264 taskkill.exe -
Modifies Control Panel 6 IoCs
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{02572D00-CC10-4236-95C6-D95E3E02CE03} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exegdifuncs.exemsedge.exepid process 3168 msedge.exe 3168 msedge.exe 1804 msedge.exe 1804 msedge.exe 1824 identity_helper.exe 1824 identity_helper.exe 1932 msedge.exe 1932 msedge.exe 2252 msedge.exe 2252 msedge.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 4004 msedge.exe 4004 msedge.exe 4004 msedge.exe 4004 msedge.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe 3888 gdifuncs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exepid process 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
AUDIODG.EXEgdifuncs.exegdifuncs.exedescription pid process Token: 33 3808 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3808 AUDIODG.EXE Token: SeDebugPrivilege 3888 gdifuncs.exe Token: SeDebugPrivilege 3888 gdifuncs.exe Token: SeDebugPrivilege 2928 gdifuncs.exe Token: SeDebugPrivilege 2928 gdifuncs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeMainWindow.exepid process 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe 3744 MainWindow.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe 1804 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
SpongebobNoSleep2.exeMainWindow.exeSpongebobNoSleep2.exeMainWindow.exepid process 1576 SpongebobNoSleep2.exe 3744 MainWindow.exe 4164 SpongebobNoSleep2.exe 4912 MainWindow.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1804 wrote to memory of 2208 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 2208 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 212 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 3168 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 3168 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe PID 1804 wrote to memory of 1580 1804 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
gdifuncs.exegdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffa712346f8,0x7ffa71234708,0x7ffa712347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1860 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1912 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6016 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,5708455375252938704,4772605531841412889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8E51.tmp\8E52.tmp\8E62.vbs //Nologo2⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8E51.tmp\tools.cmd" "3⤵
- Drops file in Windows directory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\MainWindow.exe"C:\Users\Admin\AppData\Local\Temp\8E51.tmp\MainWindow.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\8E51.tmp\gdifuncs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x3dc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5) (1).zip\SpongebobNoSleep2.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5) (1).zip\SpongebobNoSleep2.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DAD.tmp\DAE.tmp\DAF.vbs //Nologo2⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DAD.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\DAD.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAD.tmp\tools.cmd" "3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵
-
C:\Users\Admin\AppData\Local\Temp\DAD.tmp\MainWindow.exe"C:\Users\Admin\AppData\Local\Temp\DAD.tmp\MainWindow.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\DAD.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\DAD.tmp\gdifuncs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5db9081c34e133c32d02f593df88f047a
SHA1a0da007c14fd0591091924edc44bee90456700c6
SHA256c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA51212f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD5052d9a585075cd14848d93ed7146327d
SHA1f9ceb7d71fc552d23d4ed70fe5d5033f19985564
SHA256951573dda35d3f2c4713e0eccb4801ef5cc767232faff19c7a743faa3733557f
SHA512baa8db9de2d9369ed35358665e5fc94c64e4017ae166eb9814797bfacf4d96a14c8563edf69ea21b75b968446fc531eb9c5eb9f6adef445034cb1ae6caa998b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5cc76ec76ae376ed9c06fd446d799ed52
SHA1b33672cc4486486d879ed77db75b4d838185fb0c
SHA256e0b4e096d62b4a9c6c45ebf1eabc2cfd38141eb9d36c1e5c013da16073937293
SHA51228c02d6c851e18b01be7cb741937b3640b809e6806e8e422a087bffe6b4b2c25e2b93b013ef79cdc3b44df6475518ca942db15d892b819d06906c754cd3cec4c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5a656172ff597e05d9ac3c641ee306af9
SHA1d970fd55db460a64fce74c69c0a31ba60cafa164
SHA256134209c6391666f3f3ca7d11b6b851498c55f173d3e00334cb3a22b37fc12f32
SHA512a045e4b63c8689fc975624774dae0b2aa5cb750cf147e167de435c7d8344f050ae61e863a8b5cd55b0ade689a0bd072ac7453dd55fae9b0384c9c3c95f68c6a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD52f67076bc563405039809b9fd4ec9b8c
SHA15c4e6cabe65285a3ca524c147abf7058d9770f1d
SHA25664d5700b878b90dc00aef5386a8b17b6710a93c41095cb878058ebbaea46c6ee
SHA51215b82ae2872d190f797b7f7b1d360a19d8d6897c3ff2b9501a60b7a8c1aac756b4e09f7bde964061ce901a0f0367ba05a9deb436e0a79ab73df09b6ea0788ad0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5055a93125ebccbecf944fc2a403157c3
SHA1c2f90ea1c942ede79d9d4850fedf6fb332d3732a
SHA2564bd716ecf8734ada3978c9d3809c5ed68203d1f29a1e6b2a6724dc2c045aa169
SHA512952ffaec9eb07c732292d03337e681ae6f120034220be84a608718388489edec861078068cf43bfd5c940e2c9374e8e0d81adbc0a17f08ca807ccac792ba8c3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59cbc74b293c6618edc53bce5df64ec74
SHA1fb78d65183b48a6d1b145135ab5b8577d13894d5
SHA256a4d91d512c9645f13832de0a38ddc8fa632fe8b59efda269c52017f9073b3e7f
SHA512eee78235169267e1e04c4a96ac1cd11fbffeda70a132b5bbdd25f31587d2105618f5a0851acd2d269cc257fbda4b51de47e04eceb8cf8aaa741450071adf8b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f5cabef555ad5f5eded6cf00701bec29
SHA11da90111ad511087371ba77d675b14c0bea11224
SHA25667e5caee4239defb0b5b4a1aeaa91f83bc43579edf8706691483c89ca2fc8a5e
SHA512225e7d7d2727bec33496fc0369e1351f7635ea2db83a25a70eb468a1335493a8f40ac4d6ad4e9a7f7f46166001e38f6ebe34e16a44fb51a2fb57ffcfa7d9343f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5bcbde00994b5a56804f8da0877be5041
SHA1f577aa38561978a7212518212a3e3016d551a5ea
SHA2564b9d9e1bd9f08ac017076b68f619b6fec8ca178b9b79363045d0d35f008819d8
SHA512b8a028267c85259c8b5572be666567069c7ab4615942f7360fcc5f1246e74243c0fa281d2eb3f1884e404d48b9515461a1185c018663b4786e3fe94719b3b0d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5b79ddcc0a93ac63a0c44d0d88b002498
SHA115edbc82e1b2d3db75ab38581675ac81fc5b3358
SHA2562fb5fcef53bf9f546296156bb4358cbe3636c90f059c61ea02393b74ef82cc54
SHA512aeb1002c97c6c31f1bfdd8fe47f6259e98cda9b917d96cca0b54b9456593113a1e03922695a7254d340c498b6a845038d228fe2772e0f312324d486a8ee00a05
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51b235106d7da71f25c5a0ed046cac9e2
SHA16374ab47aa66b0b48f975761faa957a76ac8447a
SHA25608a9301cbb928b169e3e7e39fa55f6f586385dac3cbe5ccddfb772aff78f742b
SHA5129fd0a23775aad1fc8bf64deb382e28906da3ead3ba102562dcc21211638fb3a4e5b34e1b41a5383dfb4cad893335ab2d69a3a0afa2a174731dc530e705f8e6c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5de67c74ba1709ffb8305054dab334f2f
SHA1c148b090f19d4e6d98dcdc2c19397201fa006b5f
SHA25652228de725260cdb0f41bec06fa4280a2f09ff3d8b9395201821e973c0332a54
SHA512a9e70b8e0656fb8365935345741822717fae1c81ac6be9ff5bec771dc688d6bb635733b1fd845d1e80c15ac066b8b5d4730db64fba16d83eb2993578f6173678
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD565759b84a6cc224030488e634a80d8cc
SHA1f218f18e2760a403e122ca196b862ed0c80a921c
SHA256885c76bba681cc0f1f0075a60cd842f16e9f3282ef5e002f5a90c1afb36cfcc3
SHA512f4709c27cc071e1ddbce92d44ca9c11a21fb27d88f85c7c1947df513be8558d06c01f8f6d47a61221620cb561f8d3f219252e0898479f2af6b762ff70912c2e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD536860ee684115b70f43c603b2c9952be
SHA1ecc04b5ad48821f4386df7161cfc2bc6cacad645
SHA2564d60607f4a819307481031a88dfb181bd1919a118aa7a3cc455c19b6e9f340ba
SHA51252221ccd677078c53f2ff82fd452a0e25f347ce6765cdef8464fcccb119179f9a84b54b11cb208760b6700e11daa3a0dc652157e524b989f0cbae20b49dd6595
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5836bb.TMPFilesize
372B
MD5a757209b70184c0a18acfab268df0a5e
SHA18b65e02a18915db8b30958ab51ea25637268f9ad
SHA2566a54effdb916d34323f4f3201d2a211075e50534f1704d484577eb42ef420090
SHA512837316fdbd59064c7eebc1697c896aab9b88bb83f9c110309273f37da8645dfb3525814d5b2cca598e4d302dce2c74ace94980973fc9b9ef304bb743ccfe55ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD505a7819467f1895517f8292488d168e9
SHA1dd221b7d58353a27c8896665f5e606355a9843a7
SHA2566cf5f84c146df380a2d89da7dcd450b1dd1ab2894c57c6b7018dbf20b1fdcf7d
SHA5128e079d8a6b16c750ad1df91bff43a25f65ed8ed895a3f5af54a066460464342eaa61f634af787156e2b391ff1419e4875d34254f56a9145a0c9db8d808fc0999
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59a65cc8b7008d2b7b14a3c656b01b61c
SHA16329c0864f4d836eaeb254203b1d3ab6cc23d81a
SHA256fa2ab4061bd12727ee73462227e7a480a2bc7ce2cde853df41e516e8fc1511f7
SHA512144f6787945eaac2fde56bc98a1e374841d4d6bf2162f10eb7d0d01c00dd32e158735ef8aec01980ffef2473f35894381aea68b8841dcc4448998d3505c4d1b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5072f8cb1adb50f94ec208a7dd2cab4fd
SHA165af598a96db6343e9cd7f0fcfb35a861b152b40
SHA256a7eb1bf5be00a57e9a4215f93f2a3e917d7847fca4d646b57c5746678a4fdb62
SHA5128cdeb8910a4a323f228a201261bc268d99e9799a00cf543bc5c6642910c916aef5cb10c10765929fc63422123d365bdcad26764755a489ae44779ec8f3e45a31
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\8E52.tmp\8E62.vbsFilesize
2KB
MD5b893c34dd666c3c4acef2e2974834a10
SHA12664e328e76c324fd53fb9f9cb64c24308472e82
SHA256984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc
SHA51298a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\MainWindow.exeFilesize
92KB
MD57c92316762d584133b9cabf31ab6709b
SHA17ad040508cef1c0fa5edf45812b7b9cd16259474
SHA25601995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\bg.bmpFilesize
2.6MB
MD5ce45a70d3cc2941a147c09264fc1cda5
SHA144cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\gdifuncs.exeFilesize
120KB
MD5e254e9598ee638c01e5ccc40e604938b
SHA1541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA2564040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA51292f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mainbgtheme.wavFilesize
19.0MB
MD51b185a156cfc1ddeff939bf62672516b
SHA1fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA51241b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\mbr.exeFilesize
1.3MB
MD533bd7d68378c2e3aa4e06a6a85879f63
SHA100914180e1add12a7f6d03de29c69ad6da67f081
SHA2566e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05
SHA512b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp\tools.cmdFilesize
2KB
MD5397c1a185b596e4d6a4a36c4bdcbd3b2
SHA1054819dae87cee9b1783b09940a52433b63f01ae
SHA25656c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f
SHA512c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_52E6AF5AB5714C24BE3D1D4314F2B7DE.datFilesize
940B
MD58a463cd98ccd985254c8776738cf9bd4
SHA1236b1e465f1b9131f3d32735d163b2b83889f64e
SHA256e31f5cea5d725330e38c69e91b6744dedc7115ea53bb275920560ea5cc5f53a9
SHA51220c7be30e0b21e7a338837439e7b274193cc9a647d9e97c8785dcafad1578a83169f4db0c292cebc74a0675b391321f8aa04b317d7bf20f76160f1ad98b94f36
-
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 6.txtFilesize
26B
MD5bb6d68d7181108015cd381c28360dfc4
SHA1192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3
-
C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5).zipFilesize
9.7MB
MD5914fadaee197d1f71082a7bd95e042e6
SHA13356ffc83b5edb82940a04ce067d9e7ae7fd248c
SHA25607bb2b15e3e6a2711ab2290c1f4a10f89ce193657e64f4e92190b7139ffec6ac
SHA512b9aa1390283b3003b264531ed50edeeae1922f25dca5fce0bcbfd5b72815ef7040fa8c024276e234286b76f46a4c69292b45b8250679f686f329ed9edb042026
-
\??\pipe\LOCAL\crashpad_1804_MSGJEFROMQQNOAUNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/216-1237-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3888-832-0x0000000000EC0000-0x0000000000EE2000-memory.dmpFilesize
136KB
-
memory/3888-836-0x0000000005EA0000-0x0000000006444000-memory.dmpFilesize
5.6MB
-
memory/3888-837-0x00000000058F0000-0x0000000005982000-memory.dmpFilesize
584KB
-
memory/3888-838-0x0000000005DA0000-0x0000000005DAA000-memory.dmpFilesize
40KB
-
memory/4212-797-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB