Malware Analysis Report

2025-08-10 22:58

Sample ID 230328-g5kstsbb4y
Target specialsurprise.exe
SHA256 d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26
Tags
bootkit evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26

Threat Level: Known bad

The file specialsurprise.exe was found to be: Known bad.

Malicious Activity Summary

bootkit evasion persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Writes to the Master Boot Record (MBR)

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

System policy modification

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-28 06:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-28 06:23

Reported

2023-03-28 06:31

Platform

win7-20230220-en

Max time kernel

158s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe C:\Windows\system32\wscript.exe
PID 2040 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe C:\Windows\system32\wscript.exe
PID 2040 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe C:\Windows\system32\wscript.exe
PID 2040 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe C:\Windows\system32\wscript.exe
PID 572 wrote to memory of 1964 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
PID 572 wrote to memory of 1964 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
PID 572 wrote to memory of 1964 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
PID 572 wrote to memory of 1964 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
PID 572 wrote to memory of 996 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 996 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 996 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 996 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 996 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 996 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 996 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe

"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\FD73.tmp\FD74.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe

"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FD72.tmp\tools.cmd" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe

"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe"

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe

"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x510

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\FD73.tmp\FD74.vbs

MD5 b893c34dd666c3c4acef2e2974834a10
SHA1 2664e328e76c324fd53fb9f9cb64c24308472e82
SHA256 984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc
SHA512 98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

MD5 bb6d68d7181108015cd381c28360dfc4
SHA1 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256 aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512 e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe

MD5 33bd7d68378c2e3aa4e06a6a85879f63
SHA1 00914180e1add12a7f6d03de29c69ad6da67f081
SHA256 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05
SHA512 b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe

MD5 33bd7d68378c2e3aa4e06a6a85879f63
SHA1 00914180e1add12a7f6d03de29c69ad6da67f081
SHA256 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05
SHA512 b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\tools.cmd

MD5 397c1a185b596e4d6a4a36c4bdcbd3b2
SHA1 054819dae87cee9b1783b09940a52433b63f01ae
SHA256 56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f
SHA512 c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

memory/1964-275-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\bg.bmp

MD5 ce45a70d3cc2941a147c09264fc1cda5
SHA1 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256 eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512 d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mainbgtheme.wav

MD5 1b185a156cfc1ddeff939bf62672516b
SHA1 fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256 e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA512 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe

MD5 e254e9598ee638c01e5ccc40e604938b
SHA1 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA256 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA512 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

\??\c:\bg.bmp

MD5 ce45a70d3cc2941a147c09264fc1cda5
SHA1 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256 eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512 d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe

MD5 7c92316762d584133b9cabf31ab6709b
SHA1 7ad040508cef1c0fa5edf45812b7b9cd16259474
SHA256 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512 f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe

MD5 7c92316762d584133b9cabf31ab6709b
SHA1 7ad040508cef1c0fa5edf45812b7b9cd16259474
SHA256 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512 f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe

MD5 e254e9598ee638c01e5ccc40e604938b
SHA1 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA256 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA512 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

memory/1956-295-0x0000000001190000-0x00000000011B2000-memory.dmp

memory/1956-296-0x00000000010B0000-0x00000000010F0000-memory.dmp

C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

MD5 1b185a156cfc1ddeff939bf62672516b
SHA1 fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256 e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA512 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

memory/1956-298-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-299-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-300-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-301-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-302-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-303-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-304-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-305-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-306-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-307-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-308-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-309-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-310-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-311-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/1956-312-0x00000000010B0000-0x00000000010F0000-memory.dmp

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt

MD5 bb6d68d7181108015cd381c28360dfc4
SHA1 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256 aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512 e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

memory/2448-314-0x0000000002900000-0x0000000002901000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-28 06:23

Reported

2023-03-28 06:26

Platform

win10v2004-20230221-en

Max time kernel

30s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe C:\Windows\system32\wscript.exe
PID 832 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe C:\Windows\system32\wscript.exe
PID 2140 wrote to memory of 3044 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
PID 2140 wrote to memory of 3044 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
PID 2140 wrote to memory of 3044 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
PID 2140 wrote to memory of 4512 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 4512 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4512 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4512 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe

"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\68E0.tmp\68E1.tmp\68E2.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe

"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\68E0.tmp\tools.cmd" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe

"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe"

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe

"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x498 0x308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1928

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.151:443 assets.msn.com tcp
US 8.8.8.8:53 151.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 20.189.173.2:443 tcp
US 209.197.3.8:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\68E1.tmp\68E2.vbs

MD5 b893c34dd666c3c4acef2e2974834a10
SHA1 2664e328e76c324fd53fb9f9cb64c24308472e82
SHA256 984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc
SHA512 98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

MD5 bb6d68d7181108015cd381c28360dfc4
SHA1 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256 aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512 e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe

MD5 33bd7d68378c2e3aa4e06a6a85879f63
SHA1 00914180e1add12a7f6d03de29c69ad6da67f081
SHA256 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05
SHA512 b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe

MD5 33bd7d68378c2e3aa4e06a6a85879f63
SHA1 00914180e1add12a7f6d03de29c69ad6da67f081
SHA256 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05
SHA512 b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\tools.cmd

MD5 397c1a185b596e4d6a4a36c4bdcbd3b2
SHA1 054819dae87cee9b1783b09940a52433b63f01ae
SHA256 56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f
SHA512 c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

memory/3044-354-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\bg.bmp

MD5 ce45a70d3cc2941a147c09264fc1cda5
SHA1 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256 eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512 d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe

MD5 e254e9598ee638c01e5ccc40e604938b
SHA1 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA256 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA512 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mainbgtheme.wav

MD5 1b185a156cfc1ddeff939bf62672516b
SHA1 fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256 e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA512 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

MD5 bb6d68d7181108015cd381c28360dfc4
SHA1 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256 aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512 e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe

MD5 7c92316762d584133b9cabf31ab6709b
SHA1 7ad040508cef1c0fa5edf45812b7b9cd16259474
SHA256 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512 f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe

MD5 7c92316762d584133b9cabf31ab6709b
SHA1 7ad040508cef1c0fa5edf45812b7b9cd16259474
SHA256 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512 f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe

MD5 e254e9598ee638c01e5ccc40e604938b
SHA1 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA256 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA512 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

memory/2184-370-0x00000000000D0000-0x00000000000F2000-memory.dmp

memory/2184-374-0x0000000004FB0000-0x0000000005554000-memory.dmp

memory/2184-375-0x0000000004AA0000-0x0000000004B32000-memory.dmp

memory/2184-376-0x0000000004F70000-0x0000000004F7A000-memory.dmp

memory/2184-377-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

MD5 1b185a156cfc1ddeff939bf62672516b
SHA1 fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256 e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA512 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

memory/2184-379-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_AEB400E9C1014AFBA892194423A878CA.dat

MD5 33ebb78f767e29b26580fd2feefaead6
SHA1 ed9f6f6e86a6ca9390e26b15ae55c218aa36590a
SHA256 b4834e8ab3d24faa70443729045675ff099536c151bcbef35fad246d0ef1df8d
SHA512 0168a2de3f0270c4b8625bd12a634066366ec23c6ed18eabcc9db6fdf79473fbef4bb78f7657f96e39a9eddabeaac91ec8e15740fdde2dbffea777a8e74ae0a5

memory/2184-385-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-386-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-384-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/2184-383-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/2184-382-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/2184-387-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-388-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-389-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-390-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-391-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/2184-394-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-395-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-396-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-397-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-399-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-398-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-402-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-403-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-404-0x000000000B150000-0x000000000B250000-memory.dmp

memory/2184-405-0x000000000B150000-0x000000000B250000-memory.dmp