hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Analysis

max time kernel
439s
max time network
424s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

bootkit discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1896	takeown.exe
5328	icacls.exe
3352	takeown.exe
3928	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	gdifuncs.exe

Executes dropped EXE 3 IoCs

pid	Process
4720	mbr.exe
2660	MainWindow.exe
972	gdifuncs.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1896	takeown.exe
5328	icacls.exe
3352	takeown.exe
3928	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
82	raw.githubusercontent.com
83	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	C:\windows\WinAttr.gci	gdifuncs.exe
File opened for modification	\??\c:\windows\WinAttr.gci	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpongebobNoSleep2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MainWindow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdifuncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1492	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5388	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
1272	msedge.exe
1272	msedge.exe
4364	identity_helper.exe
4364	identity_helper.exe
5884	msedge.exe
5884	msedge.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe
972	gdifuncs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	5160	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5160	AUDIODG.EXE
Token: SeDebugPrivilege	972	gdifuncs.exe
Token: SeDebugPrivilege	972	gdifuncs.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe
Token: SeTakeOwnershipPrivilege	3352	takeown.exe
Token: SeDebugPrivilege	5388	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5672	SpongebobNoSleep2.exe
2660	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 4644	1272	msedge.exe	84
PID 1272 wrote to memory of 4644	1272	msedge.exe	84
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 1756	1272	msedge.exe	85
PID 1272 wrote to memory of 3592	1272	msedge.exe	86
PID 1272 wrote to memory of 3592	1272	msedge.exe	86
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87
PID 1272 wrote to memory of 244	1272	msedge.exe	87

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffebc3c46f8,0x7ffebc3c4708,0x7ffebc3c4718
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,9684915664760304691,17695864356835819739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Users\Admin\Desktop\SpongebobNoSleep2.exe
"C:\Users\Admin\Desktop\SpongebobNoSleep2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5672
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2B33.tmp\2B34.tmp\2B35.vbs //Nologo
  2⤵
  - Checks computer location settings
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\2B33.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\2B33.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B33.tmp\tools.cmd" "
    3⤵
    - Drops file in Windows directory
    PID:4676
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:748
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2500
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4008
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:512
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2980
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6032
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5108
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4384
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3952
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1896
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2120
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2384
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1776
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3188
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1284
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5868
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6040
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4264
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3576
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4360
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:752
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3376
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1732
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3048
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1780
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1708
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4508
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3632
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1536
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4376
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5472
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5152
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5460
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2388
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4536
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5344
- - C:\Users\Admin\AppData\Local\Temp\2B33.tmp\MainWindow.exe
    "C:\Users\Admin\AppData\Local\Temp\2B33.tmp\MainWindow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\2B33.tmp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\2B33.tmp\gdifuncs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:972
  - - C:\windows\SysWOW64\takeown.exe
      "C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1896
  - - C:\windows\SysWOW64\icacls.exe
      "C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6040
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f LogonUI.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls LogonUI.exe /granted "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3928
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1492
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "tobi0a0c.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
34d33defc241eaef385bcc41313a1a83

SHA1
896aaa8bf4a146800245d61cb6b29c94571cc610

SHA256
d2b1ed87552a45f08a23b939f404a2f458663b8e0391f9f5fdab0c1d506272ed

SHA512
4d63ae97b91ff32058b3faa8d996ad1fc5c1af161129a523075276e6361a32b5ce16d056a0d065404e36cc0750346456cd65681e768174d6181d3d4b759f9dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
e51401bdf1eae288a9ba5d952ebb3aa9

SHA1
5effd82fee8231e1294fd404dd1f10caf5c41fd2

SHA256
a08ea4c022c5207583d92dedf27194f6d81335b90bef42e90132333220a52fa2

SHA512
f777e86f2eb64d2c31afba76f544f9a65392b0d77de18e16d6a2b5534f43febc083f757d37c0719b29b556c5f73b1238c0857ee7b9a6e18c0c9c99ca54133edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b537c667d4df3a121a094498fadd2f1d

SHA1
d1395d2e3ecf35c6561ebc6947197fb640c7694d

SHA256
f1a66a857913fb03e0edf3cb19539101d1ba4a4caba1f44f2b3d38597463f6f0

SHA512
d0c5d87ceefa9394209808b1f3f52af5ea327149f90108d1bed76b3b53adbb47d25563cdccd549e15c1f80a1032ee83e1da18a69cc1520cfee06715ebc127410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f4c424fea3f12ba1b4577033b71c409

SHA1
db2d2e978400d768d22abd269a357d56d73b4aa2

SHA256
a9d170542feda8ef4ad1418b06ffcc610e5018a1149f260e21cc65ce62e020ab

SHA512
24aaea05fe31f2557f7e33143e477ad5d557957c282ab3b8427fb41c5fac0a2d06a3d15d86478a115b7da6d0a01ab098ea15be397cf8bfbe94bf442065bc3824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b89e4f4666f6c7e194de246857a1b72

SHA1
21c8a3f884e9360faa4eb1c70895cc7c91f9b9fa

SHA256
7a700de9c6887d5d185153aeaa3fb40d48499fff6494c393340e281892b77006

SHA512
268710d0551d3afdbae57aa8f1572bec86cbaf49c0c2e68f13e4123439647f17eb802491734ff377bf1c0d2570e9a2ef78b04b379f211c04960ebfbe84016504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9642d0477c030838b91bf43e6c34672

SHA1
e72126b56ccdf755e1487714dd255ebc681c6c7a

SHA256
50aa77f59054bb11f7fc2fc78547c69e8c588939efefb8fe2899e69c2dd69feb

SHA512
e278b9b22b782df83a9ecd1a79100806ebffcd8b086e2ae7533f72d9b7a2228663145b83c92292a541cbe2e1e92e3c99ceb316bd91af60476ecc3ab694830cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f7df217dcbf6a4e9e81da1f6c477a05e

SHA1
b46143c4727c8bf9fb6d51ea36a5c1c1100525a1

SHA256
5097088c6b312eca67aec3acbbab43175d3ddf2f81dd02c9a7c769b671729e4a

SHA512
e32e387e385796def086cd6a85e98dcd51859ff12fae13b28cbfc072e7eb1b49a58ce5cbe88c456578348364d24a8ac1cb59d26d7535ee4e4136e658f2069f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
2675c8d2152f3874389816fcb510f5b7

SHA1
e815f652405551284a008a0de4898677ebd30725

SHA256
691d7cbff3fcd13829c8fc256817be1b66662eb535f9fb5aebb2943efc5b46f0

SHA512
44f29f9f05579ddb4f1e1b2769d37e2cb93aeb3789a9c701f6bff750166270834ac2ffcbc0f667018d12234424649e2dada39696b39f94fdf3d38df7fd37bbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
c1ec718b04fcfaaedbca84901ffd81d4

SHA1
e6ab5f67ea32000af42f095c8e4807301dff542c

SHA256
8be676c56ec6555a1e416ff64a4248005739296bb01ee68716a280cd8efc1463

SHA512
dc8cf4defe822030d8b41a964c949f8614afa8e2755e0aaf425be368a7735829258ca3870b0b065d43689573b9a2cfea652e3e9dd327fe23d2a71312aac26e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6359db0422e711693aa6d6d9e197b39f

SHA1
9cecff7f0bfa77076e2dfe9edd40f7e2b29fa187

SHA256
02af209d6fa497b4e9bb06cfa13c02811a40e15a8222fd5362f372f3055219be

SHA512
789a629b80bb22222d623a950fbb636b257577aee86af322135a996686a3090e969b0ad3ddae1cf533630ca2af486d61d7078767d902e2dc506868b0fef9a787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580a0d.TMP

Filesize
874B

MD5
0f8d8b8396884331b527005688883845

SHA1
261bf408551c1cf2360255dc8dcff7b9d7b72251

SHA256
f2ef3510aaf20e6cde425157632d7a2d11bd7f829649714b86972b3a8dae7528

SHA512
6bc3818df7a60334e10dfec32bd6f997a2bf5a1432dbaab4506db521f42e59655c81192a1878b5bc6f539ffe4bdba1d4cbfffc89702d41413f52b714dc93f2f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b5e3d7e4a4c548fa8f5ced2f95e95ff1

SHA1
900913d14b4b52d5d2b58057f987d1f5cd8f15a4

SHA256
8c62beae4f0752b8f9d969a9f48d1ad93ed372ca40ea6d3a6002bc4407d58f29

SHA512
ad59d487013a9a0f712eec866327ea9ea3dadffc3c787b7a8c8c2a6be380bd3862c21fd8f5e9eef39accb008b6eea3ee2f95723edcd5b4f366c879dece719aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d84b1aa7ec02193279a83db3975dae26

SHA1
bad05e1843d729699cc34e79b32bffb61a8c086a

SHA256
87b17598898b270b1726b035958b38d9814e11b0f1e7b5e5611e35df7b22a8e2

SHA512
2a49ec1d7d5cbb106f1860cf3c7ff811cb20f3ff5423e4d2ef6ee4ab300d429576824afaa7f57c1d75ae058cf96bca0e914346f8693a95ef255a48143dabb214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c1f385e10d8e3d86eb693419a9d54d76

SHA1
ab29f000e63cc1f8ff603c9ab85fb77883ee04bd

SHA256
95cc55b702ba80dc20a9dd39f2e00eedcc36812867a57b2ae280b2e6be0fdd1f

SHA512
a55d829e03f37474870eaa0cebacb5ac968dce91f444d7c8d629d395f19d7fb641469e4d65b40a0814535dbbd79e48752666b5a0e7ea1f401f633dda3615475e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B33.tmp\2B34.tmp\2B35.vbs

Filesize
2KB

MD5
b893c34dd666c3c4acef2e2974834a10

SHA1
2664e328e76c324fd53fb9f9cb64c24308472e82

SHA256
984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc

SHA512
98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B33.tmp\MainWindow.exe

Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B33.tmp\bg.bmp

Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B33.tmp\gdifuncs.exe

Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B33.tmp\mainbgtheme.wav

Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B33.tmp\mbr.exe

Filesize
1.3MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B33.tmp\tools.cmd

Filesize
2KB

MD5
397c1a185b596e4d6a4a36c4bdcbd3b2

SHA1
054819dae87cee9b1783b09940a52433b63f01ae

SHA256
56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f

SHA512
c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_CEC99108D72141AB87BD1B322B358FC9.dat

Filesize
940B

MD5
f7f3d3370b3d49b2a24897685b88c934

SHA1
a014a3bf6223e99a7f354b75426c41dbdf414963

SHA256
99971592ab9759ffbd98309ada4c1da21fadf61e4db6d9def30126e69ec9bae9

SHA512
c2b39607226122ba7da70623913daccbea3e08116e495f9e1c946f6930acf23aa96cd89ab57ddabb9d9337e0ba2944d336c8d4ccf53d87c9396c953d81027321

Download Submit
C:\Users\Admin\Desktop\ApproveRename.asf

Filesize
698KB

MD5
f2867ed9b7c14ffe97703e087d7e500e

SHA1
8fdadb1ddd136049e049ada603efbcb52ec31364

SHA256
5fd9c70099126c7eb48b2ce4fe5ae3357580197852ee34ecbbc2d64a0cd0daf6

SHA512
f5e1a454f86f3118e3e01f909ffc8ce990940690fdc3054870b76f8fa2a8fd6ddf76a8a4de2335be2970e19c3762ba13f8969a3fb9c7caa4895196dd1b5f5040

Download Submit
C:\Users\Admin\Desktop\BlockHide.xltx

Filesize
488KB

MD5
27c338d09ea9a63f57544cd179cb38ca

SHA1
ca0a24347f29036eae19eece4f2571f90db2ff63

SHA256
d781002f73c6bfe7cb3ed6037483eedb273f10521e0cedd729f47ba68de719b1

SHA512
15d85841c89a0d8a40863c88e82150a2b7f961972f7fe30e7a9d6e3135b1f19e12355b53094f397a8deb1d454e51430a23330b340469d24dddb9fda81a862ed0

Download Submit
C:\Users\Admin\Desktop\BlockInitialize.TTS

Filesize
511KB

MD5
f184de31c91d67946576a4fae3175f5a

SHA1
4c8c9d1168ed2e6ed6667e78d96e100051e70165

SHA256
3294162f82ada60803531ffba907f3c90b869b73b62b9a123ae41d3a8fb26e23

SHA512
0b8f4ea89fbcaf903498af331d2fbc82b415ef3def318bac3a03f27adbe979671ad0c675fd04252be748dd3b3b6ed1c0a414e517a980ae5340fe24e321786fb5

Download Submit
C:\Users\Admin\Desktop\CompleteSubmit.M2V

Filesize
535KB

MD5
b5ce025c19876ec9efcbb94473b99ab5

SHA1
b3a3ab39de1d8d675625c50edd91ddc576af3fde

SHA256
627f6fbf933ee551448d1a841db57f932e03fc4eb26014d84ae3529b2cc6bb4e

SHA512
3ccc909719aa4e28198d4703ec1a5307592c7c4ace019e314513987e3740a651e5577b8304fc6e8959b85fa65678a656765cebbaa3e34344420971b24ef83196

Download Submit
C:\Users\Admin\Desktop\DebugStep.wmv

Filesize
349KB

MD5
abd72ea4fcad939d5f6ccfe7eadddaeb

SHA1
54eb423d9a634945a4fdec4cbf28454b174a3423

SHA256
3fe1d27ef50ceb826a9176d4aac127ed17e20091ba9e5f457731eb4f9c8c7813

SHA512
afaa6270eaacc8e13b9a4c33753799e4b16d62a291e270afedb694b8c7b81b015c0ce5d5b4679432d5ba07c66a9098350d1fad22e4b6882fc509ea731afe7dd2

Download Submit
C:\Users\Admin\Desktop\GetEdit.tiff

Filesize
558KB

MD5
a14b24ec020be123336892ca29691ecc

SHA1
53c61e6b63af8ef2d6367bd3188d98c42ff9e3d1

SHA256
cff8ceead965cc61e1d371c316f423f999bba6fdfdf60e6448964d18d42a5c01

SHA512
3b1951daf4a132e9c04c9ac4e5ae4ac706ed41f091dc924da968025317479bfc103b39397a827ab0a4ace9a67bef398af1046ed8bfb88c90aff18d220dd9317f

Download Submit
C:\Users\Admin\Desktop\GetUninstall.mht

Filesize
465KB

MD5
4c73ddcb59cf0c241a087206038633fb

SHA1
c1f986fba9ab74444995d6d09f04bb7dd5111f98

SHA256
4bf0de6456e8075ef9132cd5527590aca96fac5db7e01182cf7aae0c1ecfe100

SHA512
168c831d28c3ae2a7bca08376474fdb44c14379489558a8d55ed100855295d6422b625e4f15f5f85f30a3e243c511db83e694d23c9dfa7a3fcc265691c5d5161

Download Submit
C:\Users\Admin\Desktop\InitializeRegister.i64

Filesize
395KB

MD5
f5c5de2613e9b0982d6144649fd89877

SHA1
103c81945aaf0a447ccfb34a0bf2d870368881e2

SHA256
2ab51cd3d12cbbc33916404c7f0dcc3fafdfa6b84c44ae513d195dbc777c9b6a

SHA512
84d5e13a09ff0ba94a9f48189d8d61e44e38dac7f3a3fe9a0e1802ad315b964829324867788e547527f605e18e3c7b48b4bc946238c05ffa7f8fa5b09bd0d1dc

Download Submit
C:\Users\Admin\Desktop\InitializeSubmit.mpe

Filesize
372KB

MD5
747b55f44411e5cc146a61914d631299

SHA1
7a29aa8b3facb1153ccdad4aa647afcbbf57baee

SHA256
3ef2a57b39cedb4198d7f3b3038f1b3153898219effa1b90540004fe08bf9cbf

SHA512
d508d09bc5fc0626f0073180a51ccecd93558066862fcadaec2c9d4745e8ffceb2b5bde40bf307c68072d8c0806ced68d28f6853f7a25e3f9dd4f4dfe590f0d3

Download Submit
C:\Users\Admin\Desktop\LockTrace.wmv

Filesize
255KB

MD5
d90c78e6521a63582dc49117e9fa2ee2

SHA1
7d10ed94025648ddb51c4486bfdf48c81093898e

SHA256
e72051273eb6aa98850e3c37241063051c313cb606b1c3405aaa4fdff10ac8c7

SHA512
369367a8be2a07cb93b9b687cbadd7d2539302e6633b09ebd59480d8e4e8559b3dec28fc7e9008c95805578c80aa936e653d1e86b22ee79bf4f55c02eb6ff091

Download Submit
C:\Users\Admin\Desktop\RegisterRequest.dll

Filesize
581KB

MD5
91de3136f09a84e2c77b879c8b857f82

SHA1
ab988e9b98f3bebcbf146053a106924c0a8d8e6d

SHA256
d4c616118b5a32e13f814d692684d36be35c529b7d3f604563c786c4c1b4b133

SHA512
8cb0be597394a00f5518b463500660fce5f5d957a5eb983f1c1166ead5314b7e40eb4cdb8eaaa124f6f55a3447159cc453e0cbff27dc035db103dad949595e51

Download Submit
C:\Users\Admin\Desktop\RemoveSkip.docx

Filesize
15KB

MD5
71eb58aaf3fcfd50e5dc92a69d63cfb7

SHA1
d605e935b0d0f558115c53f6bc997993ea666fae

SHA256
2905c827cfa417b561857e49b200597ca148da81513b3225f0a421a5dd376568

SHA512
14fab959d7bbba74e61192461e15978fae9aa5442beeb72424d56130da4f8b5295ff15eb27d0a14a6679546a8291bc61e7f2e4fdc137b3d0a3613f2a4f86a7bf

Download Submit
C:\Users\Admin\Desktop\ResetMeasure.dwfx

Filesize
605KB

MD5
854e29305085bf20ea508230cccd5ed6

SHA1
7827bd5d42bf42441720caef2de18fadf07c045b

SHA256
02e344405757cdc06852e98905685077ba8a2a7041c6a8277250b2f9167b6d7a

SHA512
e8cf4d582b6ac4d1751546c70f55ed510b5ddb2b618faa162369964aa1694e2a256b30714e23ab6838cf738af417ab4ef0373476d06d53a21b6cb7fac6844cba

Download Submit
C:\Users\Admin\Desktop\RestartBackup.sql

Filesize
651KB

MD5
0f94a25a3e2fd5eacc676287524b4bec

SHA1
0dbc20ae17d0249e72434ddd258ba3d993b48de1

SHA256
bb0e73a5a95174b407b42c64d15d614a22df1a4e6d90a5430cb38f04d5790483

SHA512
3918aaecd8e59c4e05bd92e5ed842a03f964203009860c310604fa4e0dcbeea705082066508e567eb0fa6504c257cb9cbda6bde7be156b28113c58d7013c7713

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\Users\Admin\Desktop\SaveRepair.mht

Filesize
302KB

MD5
27a170345876dc659b11e99677da52bf

SHA1
78db17ed91abdc73ba1fc4c4b2b49f946a9aa0d2

SHA256
48b422ddf5220a9a520a63aaaaeb673f845b5e95ef37c9a7bba24c5bb71b02f4

SHA512
be8d432615bde90d8b3fb49ea05e663fa539a5dae0f314de4096be63c5f594f8203028e93f729b877cdb5f9cfe74960c5f624420fbc7c5413e67fa99a513b60b

Download Submit
C:\Users\Admin\Desktop\SaveUnpublish.jpeg

Filesize
674KB

MD5
d34773d4b3cd34dc17ffaf7357afcd5b

SHA1
ce9d3f7671c2f315b36a688563b3eba7cd64bccc

SHA256
3f337b324a5fedf617cd7c93d310eed8863d6c84086680647c28ad7dd898e715

SHA512
20a097187955cfc04fda90c4d6e23ffa519bcb665a386135cc5b240ab1a7030242019e78eb4d9052483ca4985223f10e54ef970bffc3827fb1600f96797d9ee2

Download Submit
C:\Users\Admin\Desktop\SetSwitch.wmf

Filesize
442KB

MD5
8dd39b3578e0a5642d68fe0cc84a813b

SHA1
6276941964c2b55eb1b4058165b48007e01c24c0

SHA256
c6938d34ea71bd3073b55656cfc93ed5d62354b6ec708822517776990fb62257

SHA512
032a7e56e17b2f234a55fa2740ed7ef8a934332feb58c1f9aadc4d1fef43c0cad16f7b8d4db459a6e8edf6d8f38b3c970edd798ebf924329118fad98190749b4

Download Submit
C:\Users\Admin\Desktop\ShowSplit.vsd

Filesize
721KB

MD5
069e19c1abd7a70a0bd6b98d240fb24b

SHA1
d31dea5b9cc33121d269ef81d071b3bbaf98a9cf

SHA256
d0327b63c19f912bb73a0cabd0db7e9b61ccc21419cf8e56e1eaab28cddadde6

SHA512
16045993182a6812d93c4edb351be2d5cfe14c461db655a8ffecebae63969520016a110f91675844ab43234fdb5e1f72128aab3f7183fd7519e02a3ba53c14a6

Download Submit
C:\Users\Admin\Desktop\SplitEnable.shtml

Filesize
279KB

MD5
09a7db3b6b13bc22474ede6f030dff8c

SHA1
eddbde4d049b2f9adaee8fced20ebb797c933148

SHA256
04ab93ddc6fe562e00d79339265eca80ceb93bc42ea1c3043616406660642416

SHA512
421af6fc7d3060039083880803c43688c10c5d4e111642f41482bd6f5b6650f252541b529c05d8f3a0042aba19e85057556cf15f3a25a8d95e45307542048d16

Download Submit
C:\Users\Admin\Desktop\SuspendDeny.zip

Filesize
325KB

MD5
a2440217a0b763de9b7871001c7f1722

SHA1
06c14b70ee599c1a33e0a048e15fd735d5060fe2

SHA256
ded61f5d181fef847950d32f538a4ccaeb4dd0a778e33b1c9ad56a4e446240ab

SHA512
fef9d21cba791dcd9c8458a1dc154516eb26654950786bc6aa0eee3c8a712f2f10c8d72e88ad5c2c3c316a1c3b664ce9d32d18eab9566a8c70511c114830b848

Download Submit
C:\Users\Admin\Desktop\TestCompress.dwg

Filesize
628KB

MD5
6be29d9b0ade05b21183a4170663d774

SHA1
eb1c5a6eb43b7b9f66732a76498c08e3bd7310d3

SHA256
75a9ba5441553296ba4d34df3d822743d87fcbb30b17ac7608858362d122e125

SHA512
e3482577d81b64793f42c423f0795f11c5f683b2fa6f3f27647df7052218c30e386fc6c65e5f489c6be8e874492519ac48db6f3007617c6b6a97777860b27244

Download Submit
C:\Users\Admin\Desktop\UninstallStep.xlsx

Filesize
9KB

MD5
d855277f7a7ccec06803fb7fd507b3b5

SHA1
5d480f36c90a53680f1258ce39883abf173e86a8

SHA256
d08da550eb70e8dcfdc9f9bb992f3154a76f63bd45818c3468c4ef18e68a6623

SHA512
25cf3065a2ec75eb413153e0655692f562b0bd70950a78a1fb622ebc2e830c3835bab6ee1829fb9897576624dff12f9b0ed818de097a57302447835b21f5f8d6

Download Submit
C:\Users\Admin\Desktop\WaitRequest.xlsm

Filesize
418KB

MD5
eff367b073ecfc39cc35748459a98aa2

SHA1
1534b9cc3b897c4ab1d5a8ba981bb4089197a750

SHA256
724b41c9c37b7f0af80bb4eefae0b20bd4203a650b99724a03bc878252bc922d

SHA512
9f9941206191e01b2dfed7d07ee35e1ecc864d6b8369335a391c134eaa87e3fa068f5f069c97d73041ca6474f84ce529b8346a04f1a9d537b5c23b5a1988b5f0

Download Submit
C:\Users\Admin\Desktop\WatchCopy.css

Filesize
1000KB

MD5
494c647f650052d8d8dd21bad34f31e5

SHA1
232dd4ff049b0b61e0d04c32daf38d1bf6d9f3c8

SHA256
2643d1fd49cf3bf253a0bb11acd9a21108c990f2876397f9f515f9dc1f196d1b

SHA512
e1b6dd63a29ba00aae49a0c95a39fe3a6cbc77eeef7f4be3260b32196d0661c4a573c31ae378381989021bd565132f331ad917aae53a9d9b3ef2a1f68e747519

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
401B

MD5
e9caf9add08999bd053f5c2ad95240d3

SHA1
3b2413bf6251c02652811f6b9b350de144ee6dbd

SHA256
d847b03b6875246ff78b647fa965db8d4480f48f482cd3754f9daa5bd82b16d2

SHA512
9dd656758e9f55554dcdb456ecf0c7c96357b16f4caf2e40db784dcb01e2e4933d4cd5a2e5fa4d0d3ccb9ea09c1d17857af735d21c16c520efcf90ab6b081162

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 532989.crdownload

Filesize
9.7MB

MD5
914fadaee197d1f71082a7bd95e042e6

SHA1
3356ffc83b5edb82940a04ce067d9e7ae7fd248c

SHA256
07bb2b15e3e6a2711ab2290c1f4a10f89ce193657e64f4e92190b7139ffec6ac

SHA512
b9aa1390283b3003b264531ed50edeeae1922f25dca5fce0bcbfd5b72815ef7040fa8c024276e234286b76f46a4c69292b45b8250679f686f329ed9edb042026

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
d430547f4c6d64c4f36053f42de1b4d0

SHA1
9e92d41693a134f3ac4fb06f7aba663c8c856115

SHA256
10b0351332b326d17b516202e0a5bdf2f793377db77c373547b1eb564942cee4

SHA512
ac3db5254d551c1864c1ae411c8d6f87435277e18c1f5642c6b36da013a30087e56f28b66a7b6128de98e5ea0f87a57f5fd9061c545a8beb85658db85819b6da

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
b5b1db65ee4b5444f47f3ba856ba3a2c

SHA1
e26f2a2d3ce5c951d6540977e25eec2fc644b808

SHA256
7cf618a1e89f30170449a33a2ad7c8063970c71548beda7c31a808582cb8bce0

SHA512
27cee9c30552a6db9ce35d37e7207af7fdf1ef4db62bf2de712974976d3af8d8d0c1c2cd4624cb238daa4e26eb07147eb653a618630b9fa1daecba95d18c9607

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
506b5c060574b432deecfd9b8ce43ef5

SHA1
364f5adb90065d1df1c84c088e3248f8bd166dd9

SHA256
e41ff00c3bb1a2cfe3d73e11e9ef290fc69fb243bd0f6f34c4d337d98784a16f

SHA512
eede8f95a5ceb64ff58b5ebe314d8e80a8b291cb2e2ad51b080abf39a0163a9f19518d071095da50e0ad2e5c6df85b6d491a3d574132deb646ae40a07020699a

Download Submit
memory/972-712-0x00000000006C0000-0x00000000006E2000-memory.dmp

Filesize
136KB

Download
memory/972-716-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/972-717-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/972-718-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/4720-696-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads