hxxps://www[.]bing[.]com/ck/a?!&&p=14f858ea69fe0128JmltdHM9MTcwODczMjgwMCZpZ3VpZD0yZWI2OWUwZC1kNjRjLTY0N2EtMTNkZC04YzdiZDc5ZTY1ZTkmaW5zaWQ9NTIwMw&ptn=3&ver=2&hsh=3&fclid=2eb69e0d-d64c-647a-13dd-8c7bd79e65e9&psq=spongebob+fun+pack+virus+download&u=a1aHR0cHM6Ly9naXRodWIuY29tL3BhbmtvemEyLXBsL1Nwb25nZWJvYk5vU2xlZXA&ntb=1

Analysis

max time kernel
293s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.bing.com/ck/a?!&&p=14f858ea69fe0128JmltdHM9MTcwODczMjgwMCZpZ3VpZD0yZWI2OWUwZC1kNjRjLTY0N2EtMTNkZC04YzdiZDc5ZTY1ZTkmaW5zaWQ9NTIwMw&ptn=3&ver=2&hsh=3&fclid=2eb69e0d-d64c-647a-13dd-8c7bd79e65e9&psq=spongebob+fun+pack+virus+download&u=a1aHR0cHM6Ly9naXRodWIuY29tL3BhbmtvemEyLXBsL1Nwb25nZWJvYk5vU2xlZXA&ntb=1

Score

10^/10

bootkit evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
3028	mbr.exe
1492	MainWindow.exe
4316	gdifuncs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
67	raw.githubusercontent.com
68	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	msedge.exe
2856	msedge.exe
3316	msedge.exe
3316	msedge.exe
4536	identity_helper.exe
4536	identity_helper.exe
2612	msedge.exe
2612	msedge.exe
432	msedge.exe
432	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe
4316	gdifuncs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	836	AUDIODG.EXE
Token: SeDebugPrivilege	4316	gdifuncs.exe
Token: SeDebugPrivilege	4316	gdifuncs.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4072	SpongebobNoSleep2.exe
3612	SpongebobNoSleep2.exe
1492	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1008	3316	msedge.exe	69
PID 3316 wrote to memory of 1008	3316	msedge.exe	69
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 4512	3316	msedge.exe	88
PID 3316 wrote to memory of 2856	3316	msedge.exe	89
PID 3316 wrote to memory of 2856	3316	msedge.exe	89
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90
PID 3316 wrote to memory of 4296	3316	msedge.exe	90

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bing.com/ck/a?!&&p=14f858ea69fe0128JmltdHM9MTcwODczMjgwMCZpZ3VpZD0yZWI2OWUwZC1kNjRjLTY0N2EtMTNkZC04YzdiZDc5ZTY1ZTkmaW5zaWQ9NTIwMw&ptn=3&ver=2&hsh=3&fclid=2eb69e0d-d64c-647a-13dd-8c7bd79e65e9&psq=spongebob+fun+pack+virus+download&u=a1aHR0cHM6Ly9naXRodWIuY29tL3BhbmtvemEyLXBsL1Nwb25nZWJvYk5vU2xlZXA&ntb=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9988946f8,0x7ff998894708,0x7ff998894718
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1284909738156919739,8646340631120067011,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5360 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2892

C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe
"C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4072
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F397.tmp\F398.tmp\F399.vbs //Nologo
  2⤵
  PID:3988

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\readme.txt
1⤵
PID:1608

C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe
"C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3612
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\7E6E.tmp\7E6F.vbs //Nologo
  2⤵
  - Checks computer location settings
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\tools.cmd" "
    3⤵
    - Drops file in Windows directory
    PID:464
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1736
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4864
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4240
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2056
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4460
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2916
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1012
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4316
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1568
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3428
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4920
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2300
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4588
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3016
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4712
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4632
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1472
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1304
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4408
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4872
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1096
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1796
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3148
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4012
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3340
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3392
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3696
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3656
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3076
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2784
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2768
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:408
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3732
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3112
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4896
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\MainWindow.exe
    "C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\MainWindow.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\gdifuncs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x310
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
343e73b39eb89ceab25618efc0cd8c8c

SHA1
6a5c7dcfd4cd4088793de6a3966aa914a07faf4c

SHA256
6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223

SHA512
54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4c957a0a66b47d997435ead0940becf

SHA1
1aed2765dd971764b96455003851f8965e3ae07d

SHA256
53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163

SHA512
19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
091017d948ebb3681324e3a5c0cca625

SHA1
1e26b0ccb7a329c8f72918b40790867eaa107a5a

SHA256
121459b3887f2c8a971590425a7164123d744384b5289960f9955157679708b1

SHA512
2394583a38c2b508dc712eb35b35b4c356444b23d2b776fdd6b719f006a487dd2e6dbca0dda4c7139c5cfdf5128042afc999cd9aa245ac2b13ff2b254cadf38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
649B

MD5
81452c02d210e8f218e92f79434750bd

SHA1
26ba49d72074a76e8f5763b9ed98d16e58e68ea7

SHA256
157b484d887d4e346cd9f1752fd548c86419758023c2beb9a893e77598269717

SHA512
9a4beb94026c903cb29220b580b6023f6a962fcca049e7be495bcc7a1237437d1e25b25fb911d7611d242033e2dd3e42bdacbe4712b84023a9e1c66642700acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9b0917e1b0d999349fa42a9248eeefe

SHA1
78203ec59ea844ce409186c23c3d9f64c771b76f

SHA256
5d9244d840c86bcbd097933158b9771717e1ab81a0cabd4fd0f1b326c7049d7b

SHA512
2aad95dbee8a367b28261666ad1e511007617b0b6355e0cd870672621cba2a7ff2368106f1fcfd99e6ba3800aa4818d59c4d2643d020fbcfbd7fdf3a5f3979fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
48285aa52e2b36c706c3957528d3649a

SHA1
fc950d1a0e0d8f0a80f6f79630d7e307532f6ec5

SHA256
74e4efccefd33e6e6a60619d453abcab71e2e3da9c265015a7826648b0e1f9a9

SHA512
e62ef52d1782e9394e48cc4b4a9a8ab0560b70da4dda19bdcd03dbcd4762a72618d3f0540655ae244f8e934188642d3f6899b5460a504c29cea401ec3a556447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4d731689307157c9966d0aa0ec686af9

SHA1
787b764e71caa312302d51ff8eea2147b5d7bf74

SHA256
73470d9585ffb71329fa0d3c6482253c166f9aac22794a0b4a428ea026ebda12

SHA512
ff35a3547dc1506b11ac61f9b938c7d9293ecf20a980c88c17c7a4ba1527ce7f3c544588d9e56b63ac70371001bc9f32a67f4d59cc2def9abc7420118d16f21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51124430366937edbfd464918f4fe0bd

SHA1
4a4a864b0cbaa52e3e421d8169cf227f95daf74f

SHA256
b5986c953abf55d0d349123f6bb36f37d0570cb9acf047ba9f08ab19b29cf68a

SHA512
95f5bcd995b916d7a3f4256174660f7415e9453ce6f99ffc18870287b51922fe1602250098f19d9b62d77ad9450a0656578f10301512fb1394908c05097b7160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57880c.TMP

Filesize
864B

MD5
a6477372c85018ab62142bd1f0552648

SHA1
b37f612b3c430016e6b89bdf24759a0b44406f9f

SHA256
2bd859826d2dd4f5a4b1e5243d1c232ed0a5eda7d4071a2bdbaffe7af3002251

SHA512
65b1818d94b5a76308758461c4f17bdf3470b6386c6e88f498fe3c9abec6a419755e0c7e60db53083b9cdf134214c63b6fbae95559c9ef958b108540c11b20e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d82dbfc70aa9aab891b3df26bfcae0ed

SHA1
5c71e8154ee5c00131bd5ad999b2a1ec208e75fc

SHA256
cf6087075c44b09598fe1f7e374e6701329e5a826b32638558e4521193fa3cd8

SHA512
3828b6a1effe45927cbd31c2236555e82541c36cb441ee273aa83d7d75dbadba92147453689b5794dd6900ae6cb847e1f29cb779781866b0f9c20b0316e2bb74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
48c10f410846d6ab61264d9af46eddb4

SHA1
b1af3fa2c1a2b17f0bd31491f3e950aade70034f

SHA256
4c59ccb8a98ac6a29e01e24e15488649d7a40d417bc9b6fe4ecead842f17b774

SHA512
92e3ca8ba54d33c4acc7686e392bd84db6918e553f73197de4596032602de8e3fc658ec433dd6373ccc5b1ca812e57cbc0667ef4fb982740565d1027161bc0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\MainWindow.exe

Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\bg.bmp

Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\gdifuncs.exe

Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\mainbgtheme.wav

Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\mbr.exe

Filesize
1.3MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E6D.tmp\tools.cmd

Filesize
2KB

MD5
397c1a185b596e4d6a4a36c4bdcbd3b2

SHA1
054819dae87cee9b1783b09940a52433b63f01ae

SHA256
56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f

SHA512
c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F397.tmp\F398.tmp\F399.vbs

Filesize
2KB

MD5
b893c34dd666c3c4acef2e2974834a10

SHA1
2664e328e76c324fd53fb9f9cb64c24308472e82

SHA256
984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc

SHA512
98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_380DE88D742241F8B536C09E6AF6A259.dat

Filesize
940B

MD5
43a1c8d4285222fdbf65471ddca769b1

SHA1
49fadca6e5937d8b09ecc4c0e006075dcedb82af

SHA256
29d8af616ac97e803c00aa725b79e16eb8db8485f7c289c8b5891d022a50261f

SHA512
2dce46b0d9ebb35b67abe219fe0f1afad7cb3bec4474475078f4117b39ff055db72b4f8d418f9b704626421be60e56a81356de1ac57905602f4660558996f318

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5).zip

Filesize
384KB

MD5
7ab199f8550268e7a46ddf272c6cbdcc

SHA1
b9661fd143a45ba1b5d0e22c70249b0bec8c9684

SHA256
dd983cdb957a2295b89c6a800f9efd480f1e5a2ec75bf25d339152b97ab00fbf

SHA512
ced9a6a462be05b35ea20eb4402a67a4d9fa270e75108ad10142c7988fc9eeb7b264e051abeab992e576e74b48c4fc3edc0e81cfc53ecf71b19202a085ce3a39

Download Submit
memory/3028-561-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4316-580-0x0000000073080000-0x0000000073830000-memory.dmp

Filesize
7.7MB

Download
memory/4316-581-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/4316-582-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4316-583-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4316-584-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/4316-585-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4316-587-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4316-576-0x0000000000CB0000-0x0000000000CD2000-memory.dmp

Filesize
136KB

Download
memory/4316-590-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4316-601-0x0000000073080000-0x0000000073830000-memory.dmp

Filesize
7.7MB

Download
memory/4316-606-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4316-609-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4316-614-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4316-621-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download