d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26

Analysis

max time kernel
30s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

specialsurprise.exe
Size

9.8MB
MD5

b05fbd1bfd40e5632c36341d1f4cae47
SHA1

383df2dfd995236db0c5abcf84d867f2117215e7
SHA256

d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26
SHA512

a40b4c4738675cb15007aca628fbf3a3a920a37e8a20c986e58539c58a4f31e6160825446fabed862793034b7072c90d33d622de5e3b8ba1b043cc519e1467aa
SSDEEP

196608:HB5HVbnvf/tlSZSKWdPcYpdo5V30UsnzKTFQCZ+nE2bZq3WFGuUa:DVrnVlitW0MowTnzwFv+ZqGFdl

Score

7^/10

bootkit persistence ransomware

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

specialsurprise.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	specialsurprise.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 3 IoCs

Processes:

mbr.exeMainWindow.exegdifuncs.exe

pid process

3044 mbr.exe
1420 MainWindow.exe
2184 gdifuncs.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe

pid	process
3044	mbr.exe
1420	MainWindow.exe
2184	gdifuncs.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3640 2184 WerFault.exe gdifuncs.exe

pid	pid_target	process	target process
3640	2184	WerFault.exe	gdifuncs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXEgdifuncs.exe

description	pid	process
Token: 33	772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	772	AUDIODG.EXE
Token: SeDebugPrivilege	2184	gdifuncs.exe
Token: SeDebugPrivilege	2184	gdifuncs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MainWindow.exe

pid process

1420 MainWindow.exe

pid	process
1420	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

specialsurprise.exewscript.execmd.exe

description	pid	process	target process
PID 832 wrote to memory of 2140	832	specialsurprise.exe	wscript.exe
PID 832 wrote to memory of 2140	832	specialsurprise.exe	wscript.exe
PID 2140 wrote to memory of 3044	2140	wscript.exe	mbr.exe
PID 2140 wrote to memory of 3044	2140	wscript.exe	mbr.exe
PID 2140 wrote to memory of 3044	2140	wscript.exe	mbr.exe
PID 2140 wrote to memory of 4512	2140	wscript.exe	cmd.exe
PID 2140 wrote to memory of 4512	2140	wscript.exe	cmd.exe
PID 4512 wrote to memory of 1484	4512	cmd.exe	reg.exe
PID 4512 wrote to memory of 1484	4512	cmd.exe	reg.exe
PID 4512 wrote to memory of 1412	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1412	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4604	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4604	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1264	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1264	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1500	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1500	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 644	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 644	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2484	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2484	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1080	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1080	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1920	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1920	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2940	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2940	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 524	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 524	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4376	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4376	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 948	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 948	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 5012	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 5012	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1140	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1140	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2788	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2788	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2380	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2380	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2208	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2208	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 3252	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 3252	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 3180	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 3180	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 5032	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 5032	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 880	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 880	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 5040	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 5040	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 3132	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 3132	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1816	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 1816	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2108	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 2108	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4688	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4688	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4292	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4292	4512	cmd.exe	rundll32.exe
PID 4512 wrote to memory of 4296	4512	cmd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe
"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\68E0.tmp\68E1.tmp\68E2.vbs //Nologo
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\68E0.tmp\tools.cmd" "
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
4⤵
- Sets desktop wallpaper using registry
PID:1484

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1412

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4604

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1264

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1500

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:644

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2484

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1080

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1920

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2940

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:524

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4376

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:5012

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1140

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:948

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2208

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2380

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2788

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1816

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3132

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:5040

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:880

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:5032

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2108

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3180

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3252

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4292

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4296

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4688

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2528

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3424

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2944

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2332

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4812

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2252

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe
"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1928
4⤵
- Program crash
PID:3640

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
1⤵
PID:4724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2184 -ip 2184
1⤵
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\68E1.tmp\68E2.vbs
Filesize
2KB

MD5
b893c34dd666c3c4acef2e2974834a10

SHA1
2664e328e76c324fd53fb9f9cb64c24308472e82

SHA256
984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc

SHA512
98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe
Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe
Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\bg.bmp
Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe
Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe
Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mainbgtheme.wav
Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
Filesize
1.3MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
Filesize
1.3MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\tools.cmd
Filesize
2KB

MD5
397c1a185b596e4d6a4a36c4bdcbd3b2

SHA1
054819dae87cee9b1783b09940a52433b63f01ae

SHA256
56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f

SHA512
c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_AEB400E9C1014AFBA892194423A878CA.dat
Filesize
940B

MD5
33ebb78f767e29b26580fd2feefaead6

SHA1
ed9f6f6e86a6ca9390e26b15ae55c218aa36590a

SHA256
b4834e8ab3d24faa70443729045675ff099536c151bcbef35fad246d0ef1df8d

SHA512
0168a2de3f0270c4b8625bd12a634066366ec23c6ed18eabcc9db6fdf79473fbef4bb78f7657f96e39a9eddabeaac91ec8e15740fdde2dbffea777a8e74ae0a5

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav
Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
memory/2184-382-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2184-388-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-376-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/2184-377-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2184-374-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/2184-379-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2184-370-0x00000000000D0000-0x00000000000F2000-memory.dmp

Filesize
136KB

Download
memory/2184-385-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-386-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-384-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2184-383-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2184-405-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-387-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-375-0x0000000004AA0000-0x0000000004B32000-memory.dmp

Filesize
584KB

Download
memory/2184-389-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-390-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-391-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2184-394-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-395-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-396-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-397-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-399-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-398-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-402-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-403-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/2184-404-0x000000000B150000-0x000000000B250000-memory.dmp

Filesize
1024KB

Download
memory/3044-354-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download