File name:

SpongebobF__k.zip

Full analysis: https://app.any.run/tasks/45ba754d-4123-43fb-990f-b2b6f3451e3e
Verdict: Malicious activity
Analysis date: April 29, 2025, 11:50:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

F8291DA1E099DF0FFD0C29B1D524486A

SHA1:

D585BC7505C143175AF3DD211528312CCA3B518E

SHA256:

A80CCB67B62BE1F2E7A76DC2901EF45B187FD1E50DA23380F3155DDC180A242C

SSDEEP:

98304:oGtXrezJqoEEkXYoowXcMaoH3SndfMcaSup0P6kG/2UdcmNgLKQTZ30S2BIczyOc:jxZmnMocaRakB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • reg.exe (PID: 6268)

    • Disables Windows Defender

      • reg.exe (PID: 632)

    • Disables task manager

      • reg.exe (PID: 2772)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 6300)
      • net.exe (PID: 5400)

    • Create files in the Startup directory

      • cmd.exe (PID: 6300)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1760)
      • WinRAR.exe (PID: 2340)
      • ShellExperienceHost.exe (PID: 5228)

    • Application launched itself

      • WinRAR.exe (PID: 1760)

    • Generic archive extractor

      • WinRAR.exe (PID: 1760)

    • Executable content was dropped or overwritten

      • SpongebobFuck.exe (PID: 6644)
      • cmd.exe (PID: 6300)

    • Executing commands from ".cmd" file

      • SpongebobFuck.exe (PID: 6644)

    • Starts CMD.EXE for commands execution

      • SpongebobFuck.exe (PID: 6644)

    • Creates file in the systems drive root

      • cmd.exe (PID: 6300)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6300)

    • Changes the desktop background image

      • reg.exe (PID: 6516)
      • reg.exe (PID: 5776)

    • The system shut down or reboot

      • cmd.exe (PID: 6300)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 2792)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2340)

    • Checks supported languages

      • SpongebobFuck.exe (PID: 6644)
      • ShellExperienceHost.exe (PID: 5228)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2340)
      • SpongebobFuck.exe (PID: 6644)
      • cmd.exe (PID: 6300)

    • Create files in a temporary directory

      • SpongebobFuck.exe (PID: 6644)

    • Reads the time zone

      • net1.exe (PID: 5756)

    • Creates files in the program directory

      • cmd.exe (PID: 6300)

    • Reads the computer name

      • ShellExperienceHost.exe (PID: 5228)

    • Manual execution by a user

      • svchost.exe (PID: 3840)
      • svchost.exe (PID: 4020)
      • svchost.exe (PID: 4156)
      • svchost.exe (PID: 4196)
      • svchost.exe (PID: 4324)
      • svchost.exe (PID: 4456)
      • svchost.exe (PID: 4708)
      • svchost.exe (PID: 5580)
      • svchost.exe (PID: 5764)
      • svchost.exe (PID: 5904)
      • svchost.exe (PID: 4812)
      • svchost.exe (PID: 4924)
      • TrustedInstaller.exe (PID: 5076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2024:02:22 12:39:14
ZipCRC: 0xd4a63fe7
ZipCompressedSize: 7667982
ZipUncompressedSize: 7667123
ZipFileName: SpongebobF__k.zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
260
Monitored processes
34
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start start winrar.exe no specs sppextcomobj.exe no specs slui.exe no specs winrar.exe spongebobfuck.exe no specs spongebobfuck.exe conhost.exe no specs cmd.exe reg.exe no specs rundll32.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs net.exe no specs net1.exe no specs shellexperiencehost.exe no specs shutdown.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs plugscheduler.exe no specs svchost.exe no specs svchost.exe no specs ctfmon.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe trustedinstaller.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1512RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1660"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1760"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\SpongebobF__k.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1073807364
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1760C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvcC:\Windows\System32\svchost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2340"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb1760.29069\SpongebobF__k.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1073807364
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2772REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2792"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
3840C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserServiceC:\Windows\System32\svchost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4020C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVCC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
18 429
Read events
18 222
Write events
171
Delete events
36

Modification events

(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SpongebobF__k.zip
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1760) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
Executable files
9
Suspicious files
49
Text files
120
Unknown types
0

Dropped files

PID
Process
Filename
Type
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\SpongebobFuck.exeexecutable
MD5:FF4A17C39D21C1142B374BB10958EB26
SHA256:2D6A69E59A296086964F4F1B54A6EC0F63C804754839996735F0DCE4CDD853F2
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\bg.bmpimage
MD5:CE45A70D3CC2941A147C09264FC1CDA5
SHA256:ECEEDADFDE8506A73650CFA9A936E6A8FFF7FFB664C9602BB14432AA2F8109AC
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\Aha-Soft-Desktop-Halloween-Halloween.icoimage
MD5:14C37F910B757FD3F9F4520CB5029F0D
SHA256:FB03C68CAD5D15AA032E36D0EE2D523CF75F458DCFA8C390C27B9FD35585AF1D
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\bg.jpgimage
MD5:048B5C4237BB6B8A34CDEE22F5FEC4E4
SHA256:CC5EA4B47FB465B78B7DE3CF0ED2EA6DBA084BA7AD28C3A4538FB2E161FB1B09
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\MainWindow\bob.jpgimage
MD5:042D1CDFD13656BD82A21639269CEDCD
SHA256:31BECB9A56FF7027315B60E082B1D4ADBE20552293F462803502EDE2CA89B82C
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\bobspeak.vbstext
MD5:8884A25E47D799F6BD3D4EC20F05A3B7
SHA256:5A68437EDD63BD826A1F1557121D4C05114C608FD8A18A0C9C156A60D90BD0C1
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\MainWindow\Form1.frmtext
MD5:013C8DEA10CE11E18C0E354C0706EB91
SHA256:991BF2B59E6898A1FC3CF756F4625D33072827EC9FF6854F27E418293688B0C2
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\MainWindow\Form1.frxbinary
MD5:CDE47366CA233B23CF4D598BD3FFAFAC
SHA256:54FCE5879E05184B59BAF6B58F704AEA0CAD0B393F6B1A4829817A0BC360E4AC
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\MainWindow\MainWindow.exeexecutable
MD5:03D8B31DB1ED1294334B872F756AD1A1
SHA256:7E17DCAAFC07877E720B3FC0E666AC69E2DCE8E7458AE9B23902BCF5F8F2A40A
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2340.29644\Source\MainWindow\MainWindow.vbptext
MD5:D9862E53AA07A9BF11FB7C8956AC29A7
SHA256:D8E7B4C2668E96F24EDF3BCF18827939622D233D208A90A552E3B6B5F51A447C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
42
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5288
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.172:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.172
  • 23.48.23.177
  • 23.48.23.163
  • 23.48.23.169
  • 23.48.23.167
  • 23.48.23.175
  • 23.48.23.173
  • 23.48.23.161
  • 23.48.23.171
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.76
  • 40.126.32.133
  • 20.190.160.66
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.22
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
self.events.data.microsoft.com
  • 20.189.173.16
  • 51.105.71.136
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SpongebobF__k.zip