bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
215s
max time network
365s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor bootkit discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

description	flow	ioc	Process
	207	zirabuo.bazar	Process not Found
	219	zirabuo.bazar	Process not Found
	238	zirabuo.bazar	Process not Found
	184	zirabuo.bazar	Process not Found
	194	zirabuo.bazar	Process not Found
	228	zirabuo.bazar	Process not Found
	237	zirabuo.bazar	Process not Found
	217	zirabuo.bazar	Process not Found
	226	zirabuo.bazar	Process not Found
	209	zirabuo.bazar	Process not Found
	215	zirabuo.bazar	Process not Found
	216	zirabuo.bazar	Process not Found
	229	zirabuo.bazar	Process not Found
	178	zirabuo.bazar	Process not Found
	197	zirabuo.bazar	Process not Found
	202	zirabuo.bazar	Process not Found
	205	zirabuo.bazar	Process not Found
	212	zirabuo.bazar	Process not Found
Key created		\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
	183	zirabuo.bazar	Process not Found
	208	zirabuo.bazar	Process not Found
	213	zirabuo.bazar	Process not Found
	214	zirabuo.bazar	Process not Found
	173	zirabuo.bazar	Process not Found
	179	zirabuo.bazar	Process not Found
	199	zirabuo.bazar	Process not Found
	200	zirabuo.bazar	Process not Found
	211	zirabuo.bazar	Process not Found
	169	zirabuo.bazar	Process not Found
	175	zirabuo.bazar	Process not Found
	176	zirabuo.bazar	Process not Found
	206	zirabuo.bazar	Process not Found
	235	zirabuo.bazar	Process not Found
	177	zirabuo.bazar	Process not Found
	186	zirabuo.bazar	Process not Found
	189	zirabuo.bazar	Process not Found
	191	zirabuo.bazar	Process not Found
	203	zirabuo.bazar	Process not Found
	225	zirabuo.bazar	Process not Found
	234	zirabuo.bazar	Process not Found
	170	zirabuo.bazar	Process not Found
	188	zirabuo.bazar	Process not Found
	220	zirabuo.bazar	Process not Found
	227	zirabuo.bazar	Process not Found
	230	zirabuo.bazar	Process not Found
	185	zirabuo.bazar	Process not Found
	190	zirabuo.bazar	Process not Found
	198	zirabuo.bazar	Process not Found
	231	zirabuo.bazar	Process not Found
	180	zirabuo.bazar	Process not Found
	182	zirabuo.bazar	Process not Found
	192	zirabuo.bazar	Process not Found
	201	zirabuo.bazar	Process not Found
	222	zirabuo.bazar	Process not Found
	224	zirabuo.bazar	Process not Found
	236	zirabuo.bazar	Process not Found
	240	zirabuo.bazar	Process not Found
	174	zirabuo.bazar	Process not Found
	193	zirabuo.bazar	Process not Found
	221	zirabuo.bazar	Process not Found
	204	zirabuo.bazar	Process not Found
	218	zirabuo.bazar	Process not Found
	223	zirabuo.bazar	Process not Found
	239	zirabuo.bazar	Process not Found

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
976	takeown.exe
5948	icacls.exe
5096	takeown.exe
980	icacls.exe

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
173	zirabuo.bazar
174	zirabuo.bazar
206	zirabuo.bazar
215	zirabuo.bazar
219	zirabuo.bazar
226	zirabuo.bazar
176	zirabuo.bazar
180	zirabuo.bazar
211	zirabuo.bazar
230	zirabuo.bazar
217	zirabuo.bazar
229	zirabuo.bazar
238	zirabuo.bazar
193	zirabuo.bazar
198	zirabuo.bazar
227	zirabuo.bazar
240	zirabuo.bazar
175	zirabuo.bazar
194	zirabuo.bazar
203	zirabuo.bazar
205	zirabuo.bazar
212	zirabuo.bazar
216	zirabuo.bazar
223	zirabuo.bazar
224	zirabuo.bazar
187	zirabuo.bazar
213	zirabuo.bazar
214	zirabuo.bazar
220	zirabuo.bazar
232	zirabuo.bazar
235	zirabuo.bazar
177	zirabuo.bazar
178	zirabuo.bazar
221	zirabuo.bazar
179	zirabuo.bazar
182	zirabuo.bazar
195	zirabuo.bazar
199	zirabuo.bazar
233	zirabuo.bazar
234	zirabuo.bazar
188	zirabuo.bazar
190	zirabuo.bazar
208	zirabuo.bazar
239	zirabuo.bazar
185	zirabuo.bazar
186	zirabuo.bazar
201	zirabuo.bazar
181	zirabuo.bazar
191	zirabuo.bazar
192	zirabuo.bazar
196	zirabuo.bazar
210	zirabuo.bazar
225	zirabuo.bazar
209	zirabuo.bazar
222	zirabuo.bazar
236	zirabuo.bazar
169	zirabuo.bazar
183	zirabuo.bazar
200	zirabuo.bazar
202	zirabuo.bazar
207	zirabuo.bazar
218	zirabuo.bazar
170	zirabuo.bazar
197	zirabuo.bazar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 6 IoCs

pid	Process
404	mbr.exe
2480	MainWindow.exe
5876	gdifuncs.exe
3088	mbr.exe
1320	MainWindow.exe
2392	gdifuncs.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5948	icacls.exe
5096	takeown.exe
980	icacls.exe
976	takeown.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.177.171.127
Destination IP	158.69.239.167
Destination IP	188.165.200.156
Destination IP	35.196.105.24
Destination IP	193.183.98.66
Destination IP	185.164.136.225
Destination IP	139.59.23.241
Destination IP	87.98.175.85
Destination IP	188.165.200.156
Destination IP	162.248.241.94
Destination IP	5.132.191.104
Destination IP	163.172.185.51
Destination IP	172.104.136.243
Destination IP	5.132.191.104
Destination IP	142.4.204.111
Destination IP	193.183.98.66
Destination IP	51.254.25.115
Destination IP	172.98.193.42
Destination IP	46.28.207.199
Destination IP	217.12.210.54
Destination IP	5.45.97.127
Destination IP	185.208.208.141
Destination IP	5.132.191.104
Destination IP	91.217.137.37
Destination IP	63.231.92.27
Destination IP	91.217.137.37
Destination IP	69.164.196.21
Destination IP	212.24.98.54
Destination IP	31.171.251.118
Destination IP	107.172.42.186
Destination IP	158.69.160.164
Destination IP	46.28.207.199
Destination IP	139.99.96.146
Destination IP	139.59.208.246
Destination IP	96.47.228.108
Destination IP	172.104.136.243
Destination IP	158.69.160.164
Destination IP	50.3.82.215
Destination IP	185.117.154.144
Destination IP	198.251.90.143
Destination IP	172.104.136.243
Destination IP	82.196.9.45
Destination IP	31.171.251.118
Destination IP	144.76.133.38
Destination IP	167.99.153.82
Destination IP	192.99.85.244
Destination IP	5.135.183.146
Destination IP	139.99.96.146
Destination IP	92.222.97.145
Destination IP	92.222.97.145
Destination IP	63.231.92.27
Destination IP	198.251.90.143
Destination IP	142.4.204.111
Destination IP	82.141.39.32
Destination IP	185.164.136.225
Destination IP	167.99.153.82
Destination IP	69.164.196.21
Destination IP	46.101.70.183
Destination IP	5.135.183.146
Destination IP	46.101.70.183
Destination IP	50.3.82.215
Destination IP	185.208.208.141
Destination IP	51.254.25.115
Destination IP	51.254.25.115

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
142	raw.githubusercontent.com
143	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MainWindow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdifuncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MainWindow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdifuncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpongebobNoSleep2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpongebobNoSleep2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{A08D835D-B504-4742-8F97-C78DF6997374}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
384	msedge.exe
384	msedge.exe
208	identity_helper.exe
208	identity_helper.exe
4392	msedge.exe
4392	msedge.exe
5428	msedge.exe
5428	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe
5876	gdifuncs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1928	AUDIODG.EXE
Token: SeDebugPrivilege	5876	gdifuncs.exe
Token: SeDebugPrivilege	5876	gdifuncs.exe
Token: SeDebugPrivilege	2392	gdifuncs.exe
Token: SeDebugPrivilege	2392	gdifuncs.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5048	dl2.exe
232	dl2.exe
4172	SpongebobNoSleep2.exe
5288	SpongebobNoSleep2.exe
2480	MainWindow.exe
1320	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2076	384	msedge.exe	97
PID 384 wrote to memory of 2076	384	msedge.exe	97
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3672	384	msedge.exe	98
PID 384 wrote to memory of 3620	384	msedge.exe	99
PID 384 wrote to memory of 3620	384	msedge.exe	99
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100
PID 384 wrote to memory of 2256	384	msedge.exe	100

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {01D1C489-E8C2-46A2-9783-4C4CD6AAD050}
1⤵
- Suspicious use of SetWindowsHookEx
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- BazarBackdoor
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc8f1746f8,0x7ffc8f174708,0x7ffc8f174718
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12580585818428956774,1041708363912521543,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6612 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4804

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\readme.txt
1⤵
PID:3280

C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe
"C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4172
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\CC20.tmp\CC21.tmp\CC22.vbs //Nologo
  2⤵
  - Checks computer location settings
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\CC20.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\CC20.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CC20.tmp\tools.cmd" "
    3⤵
    - Drops file in Windows directory
    PID:5796
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:988
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:976
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5636
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5920
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5956
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5964
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5932
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5884
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5520
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3960
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1444
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2712
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5092
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6076
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5504
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5212
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5836
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5344
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2488
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4416
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4920
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4088
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5936
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5336
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5264
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4848
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5244
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6132
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6108
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6104
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3712
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5028
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1652
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1636
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3720
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\CC20.tmp\MainWindow.exe
    "C:\Users\Admin\AppData\Local\Temp\CC20.tmp\MainWindow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1320
- - C:\Users\Admin\AppData\Local\Temp\CC20.tmp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\CC20.tmp\gdifuncs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2392

C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe
"C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5)\SpongebobNoSleep2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5288
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3BA.tmp\3BB.tmp\3BC.vbs //Nologo
  2⤵
  - Checks computer location settings
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\3BA.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\3BA.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3BA.tmp\tools.cmd" "
    3⤵
    - Drops file in Windows directory
    PID:2012
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:5184
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3296
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1700
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2508
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2540
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:660
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5700
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6092
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5332
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4848
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5312
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5244
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3572
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4944
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5384
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2616
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6104
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4200
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4012
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6072
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6088
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5580
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1692
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4988
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1724
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5396
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5576
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5852
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4476
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1604
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1180
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5352
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6008
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5724
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2084
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\3BA.tmp\MainWindow.exe
    "C:\Users\Admin\AppData\Local\Temp\3BA.tmp\MainWindow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\3BA.tmp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\3BA.tmp\gdifuncs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5876
  - - C:\windows\SysWOW64\takeown.exe
      "C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5096
  - - C:\windows\SysWOW64\icacls.exe
      "C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
      4⤵
      PID:5640
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f LogonUI.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:976
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls LogonUI.exe /granted "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 45.txt
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
3870187c022432e7628584cc7a17b810

SHA1
626f1d95d0d5b2b12efb4c1c0a53ea0fbd93acf0

SHA256
579242c8a1ebcfbe21ff0895681e3be274bdd1cf717e1202bd59582512f75e78

SHA512
a07d7c51938778334af2a6b3d109bcca14d25ff07708ce3e7e84d72278d28d0673a28b4860fb2d77159afad25c60a9a9b12421d1b651bbb0a6a0e1908b918426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
87c2b3ef023a4d24682fcd414d95444f

SHA1
b60ae60e8d0040a03d7fb756146d0cf3a5e4b2bd

SHA256
99b09e01ad1f4a2b11aca9535758c9b980296a2c363d48a91fb9ba9e3494e3bc

SHA512
1f1d256c54ee96aa3cbec2e6d252d1ff6addfe60dc6c9bdc156397043fcdab51cbfddd4e733d811a05f86370009dc2984f15ed161e48845365b1219e9b20d837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a84345a4f037cd46458ce4c5cb465623

SHA1
3b08823aa222a2da1180808335670ed4605f158d

SHA256
37b239fb58b43a7043354b302d7728e5822fcfd0e9e3e4b938094a5cfcdece2a

SHA512
ce01c0ea876cb64865eb5b8722d4a83046f38e99d921e07513f90d12eac7483c5d7b307c8ac442b85c33d490a8847e5b7c09b54be966b5a0dab302ccca16c3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
98b7ee88135ef35d3f276acd281e485d

SHA1
bdd058a102bde7e367f0b66ea6acdacff90cffae

SHA256
45d9a6d3c2fd6df911dfd72480e7f4e1458900dd22fe94a5cb1418b8789cde37

SHA512
9545750d8149b786453530044d1918b45f73a071b812853c57822cecb09d3736521b9c85815c10d96f8a0d71481090fb0de4445a28c0d111e1b4b50a5c76760a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
23b12226a0ff2c48252288c393f2c093

SHA1
0eea06284c335e9122fc8e2d610673b4c6d862e9

SHA256
b85a5b7e6c62c93f7ca07099729a1b05e4e400ba75421228612622d8ddba412b

SHA512
89d7283bfdfe0512812512bd2b9f67b44fefda2b637c44410d5c3fc452893e4aaa5cf496a6c7db36ec7718c7226b14ad56cfd04fe654e7b1673052bae0e2637d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
327B

MD5
3eed05f4a75513ca7a782424edffca98

SHA1
04bb3a6e62176801ef3244b17e4fbc43a2ce7dd6

SHA256
f6a6f6776e8e9da571fd4185225f14f6467be4f0b29b237b3a685954e563abcb

SHA512
46a8f8eaa27160591bc4516db0c15198c8dd860b21bc01d03a8a252b0d30a63d2e7d7166172f8833b2e1b349dd2a081442e41d648769159ee46dbc610091b5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8f83f52de30c5da102c85b8d6427b781

SHA1
2d05b9c4ce4bd55f7fe84fd1c21cb309ddea0351

SHA256
19fb6c6a5ad4b5ff57109c57964a8f0ef091812f8a0b15912b78b3eb8a8d0bd5

SHA512
0a1b3a83773d3e210120d6d85523961f147df501b30561809c208a332b714e72f8af3b87ee5571b276c1e11a86d2850c0da59a6bbb1d9a395ad619bb1354991a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a2046502c9300a920578c3bd4469d1e

SHA1
8dce6e75492fb1714753182221fff1623e0159aa

SHA256
c31bb49fc4169163f75190bb91f1a4304847afa6d810d81680640886b3753008

SHA512
34ebeba73a9b964a78542b10fd76deb9c658c9112181378f0d8529bb1bdec457d8417bbb4175cd8e20c30a75ab956e8af2e417041444541d716a29f7b75ee26e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6477c24e8951f78a7dd5670aa7c5465e

SHA1
f0be091e3fb23a85c1e80935721652a401a48750

SHA256
ef34c236f82956c827834ef305911f99c649c91326c1dda410fd105c174a3034

SHA512
bad225292b10e6168c33e8c3b1d15c79c540c2b43b60de6c4c86264d9779049af25ec9114ddc88f48d523de95d345f1f15a5de49fe22836103fac008cf7ec996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d0c443106675961f19480e9d84ccd99

SHA1
67903ec542140766d8fe3fcad97737229cddf41b

SHA256
ca798998954f8587f8c5e988aa08ca31aafa56bdd41d4f6854529257372cf905

SHA512
b86a3598f69b157bbda20225ec944d2b9930a388fddebe64bcb9cf615e05e9a12648d6ef54b1049d0068cae44c2a2fbe11fb052a0b3566d05a95d63accc7aae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
04d655d40aedecac83d0d7a3338c4d50

SHA1
b063e0834a800ebe076604369940eb2beefc1fac

SHA256
f86f200c8dfff8376e291ddd8b0dd9b68564da016d15e5f5423872eaa18fc429

SHA512
4de95e4ad2e3774183e3acb826d6827a61a56ce62b81e5b6896739c371e02270b1bb21fa7e2891d3033b21e1697b06408d9f19a0379e721881d0f29bbd8674ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e1274d678ac4336288cd9137450dd629

SHA1
4dacebc7cac20b21f0f3cf6ea91b543333bcb655

SHA256
1f8b0e9671d4e8f37dccd357aa318036212d2dc43099c58583b8c738cbaf43eb

SHA512
e9583ef46507fb254ccebf4b6de36bd95408d8672e8e021e15368364ca6432d7d4cb75440a064029703a8fe9f990cde5c207f231fcd8641e3c84f6061d8704c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1646c59e56bb8170919939981159bcd0

SHA1
20932e49fee332c70bbdab994df4f6a37c7d74b8

SHA256
db0f1701bf4fdb42dfd5bf567933b17d6907b2969b7a28b19b0879887d4ac413

SHA512
19b9805a8bfd5b8ab7b88256e095adf961c36d813b872d954776906856963818d1ddd9b493d929a8a48599ef0b7c78c5219a196e3e5cf0c2240132c60be3b640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a18a5f204a43a954f8bc6fd30ac17cd

SHA1
f347a0acbe3fd739616bdf045d69a65e1ba3b8ee

SHA256
88b4385c702675c2c1682ac42043229e3788fb9bef4ec0a44c41f791aba3f135

SHA512
140ff92c8d9e14d76737be86c15082d961c8d651b11628e724042e1fcfdb860ab2cb7249e5c16ff67f15d93513167ad8dfc0b50c282b65fed8e9d06c9e8db1d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e5ecc7d1b7500748c4501b0d15d72ce7

SHA1
08fe599bbd3dc4833a40596007abe93602ece26b

SHA256
cdec3d1fcdf27c2e367b5c41e26732bfac466148c0919e4a391bd8cceaf2cfd6

SHA512
dba05a6a89722ed1b1385f6a3a9563bc537b0eb3ca4c3a524de133c29678d806d8d1bcf8098f7f93be0c5f0efd544e4f9ecc03470020dd10c90dfa63f673e232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593bb7.TMP

Filesize
538B

MD5
ea017bd0b0ca89504b3276f7dee3e3bb

SHA1
a636793d187067446acffde51cc791429d0b01dd

SHA256
bdd570b0bfecb1f2c0d379a6ed02f1b3474ec3da336457fe3ea3c9c856916bcb

SHA512
ced874316c19174bc89aa98e3198aa96302098ac17abc0531df3386086f54807339354bd5206a04e6a03b91bdd17d85345ab971179ee004468dc96a2aab0409a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
798995dd33795c6fa6703d68d1b2d993

SHA1
aca0ee9ba870b19c1e7eab3c619ae4acfc0f5ccc

SHA256
7a1de61d073bcbba8e486c52ec1482bad67c65fcc1a9d664c91a5e8fda6a1b7e

SHA512
8418f5ec02236fad85655dd5242b10c83226904a7de94e48d8795eb9a6212cb89b8d67d6d6b6e498094a4fe225100de000f1b1396651c2c3b3934363a4227429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d6333134a3cb180243ac81a1f8f40e1a

SHA1
ee01ca88d46ab12646afcb298fd64d95d55d07da

SHA256
23ab0a0e06aca5477b071fab17af1fbb93ee19f39e25ec461f25064735c82ff5

SHA512
b6202d1588f20efbf566568a1720eb0a9796e8400c31989063f99964594cee496dd27a81f58567bd5f92b81c7d2840f0683db4d7faad34093f53f4398076eff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fa7358c7642c91103a503117ec8b86bf

SHA1
781127d31e8829702dcb0d649eea6e936bc61611

SHA256
db8d120c2a74f00e7020bb93797ff8feb597f5dd764817e5f6994449d0aa090e

SHA512
c6ed74c90d95b7fa0bb21266726b18fcd8a9b9e4c848415a79058e732106263a08f6a32b855ab64b3afb4cf11a43ba6274e0c9d4a64e688db2c453543d454953

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA.tmp\MainWindow.exe

Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA.tmp\bg.bmp

Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA.tmp\mainbgtheme.wav

Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA.tmp\mbr.exe

Filesize
1.3MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA.tmp\tools.cmd

Filesize
2KB

MD5
397c1a185b596e4d6a4a36c4bdcbd3b2

SHA1
054819dae87cee9b1783b09940a52433b63f01ae

SHA256
56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f

SHA512
c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC20.tmp\CC21.tmp\CC22.vbs

Filesize
2KB

MD5
b893c34dd666c3c4acef2e2974834a10

SHA1
2664e328e76c324fd53fb9f9cb64c24308472e82

SHA256
984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc

SHA512
98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6744503D7FB84505A4F837E1717CEA34.dat

Filesize
940B

MD5
352273ba402284e371a67e847412505a

SHA1
fa814295f96c576708eeb9916a6ccbc4c25be878

SHA256
d4fd49f4165634ad67aeaf390d90491480ef3e656129425ae32ffedc5ddcdabf

SHA512
d577a676b549a0f4e321b54b007c265953e5377e0964b230233ae8c7462db77cbe56659db03f39b606e09214a3dec341b7535517900e3c97fbed39ae71133242

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5).zip

Filesize
9.7MB

MD5
914fadaee197d1f71082a7bd95e042e6

SHA1
3356ffc83b5edb82940a04ce067d9e7ae7fd248c

SHA256
07bb2b15e3e6a2711ab2290c1f4a10f89ce193657e64f4e92190b7139ffec6ac

SHA512
b9aa1390283b3003b264531ed50edeeae1922f25dca5fce0bcbfd5b72815ef7040fa8c024276e234286b76f46a4c69292b45b8250679f686f329ed9edb042026

Download Submit
C:\Windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe

Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
memory/232-10-0x0000000002100000-0x0000000002130000-memory.dmp

Filesize
192KB

Download
memory/232-17-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/404-816-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3088-1073-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5048-8-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/5048-42-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/5048-1-0x0000000002210000-0x0000000002240000-memory.dmp

Filesize
192KB

Download
memory/5876-840-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download
memory/5876-839-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/5876-838-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/5876-834-0x0000000000B20000-0x0000000000B42000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads