lampion | 779ce84a4fb07c6b682eca35f836651025d7b9cfbe069423efb7902c583a3073

Resubmissions

06-03-2023 14:33

230306-rw9qpscg76 10

06-03-2023 14:32

230306-rwm7pscg72 1

06-03-2023 14:24

230306-rq2g5scg48 10

Analysis

max time kernel
76s
max time network
81s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
06-03-2023 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.exe
Size

9.8MB
MD5

f8ceee79a7b323a7683a46f1c7636ad3
SHA1

8fe53a9600d1eb1e6789989d214480fa21711f31
SHA256

cbe35fed4367bc69d7ad61ab2e25c455501633f4adc8a8b864724d02f82804c2
SHA512

495d701de6372de2995ad6ae1e482d63d4197dcf8ab7f3b918ef73a42560bb88ce4dee0e36a99358f8b375baa9a6693f12eb3b12fdc84182c0a4f5049f247f20
SSDEEP

98304:AnNBW0h2GJfzIyepDL+LuMYBV+NBWzUNrQqMqS82ABqYBYCq6/4N5FZ7w8av8pD8:iW0SLw8BDoVn

Score

10^/10

lampion banker persistence trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\ircdfaqi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe"	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133225868896241725"	chrome.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

windows.exechrome.exe

pid	process
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
1312	chrome.exe
1312	chrome.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe
2452	windows.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1312 chrome.exe
1312 chrome.exe
1312 chrome.exe
1312 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe
Token: SeShutdownPrivilege	1312	chrome.exe
Token: SeCreatePagefilePrivilege	1312	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exe

pid	process
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

windows.exe

pid process

2452 windows.exe
2452 windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1312 wrote to memory of 4652	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4652	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4384	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4408	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 4408	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe
PID 1312 wrote to memory of 3280	1312	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fff803f9758,0x7fff803f9768,0x7fff803f9778
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:2
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:1
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4820 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4304 --field-trial-handle=1744,i,13926293805194137522,8661349258755421131,131072 /prefetch:8
  2⤵
  PID:4584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
0e9a925cc1ce40fc6a741f3518252c70

SHA1
582dc4be9b93ab73f12704c2d1993821b90c4348

SHA256
6599f33a3871961f301b6ad06de38d7814b2263713171426c08f1a81f7f4a8a7

SHA512
273233115e904ef21e37995f5c019ca04c2667b83b61b2763f95a52256d7dc0e1a87a02408e0cfad31f85a7f8d9d2ddac0185b52b2fca4905b4c4e7611dee13f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
534B

MD5
af9cda10fa30d68246c752ef5c6d323d

SHA1
d7b2bae678c4a2afd7f73f923c57cefa0297f931

SHA256
60fdc3508cc1d202ae97d25ec28a14a8fd61c781797c649560d4aadd6fd97936

SHA512
8823d6d5e9251a9e952134c22291a11be8ea1d6b7920b848906b98be9168f9de85092126bd86ddee96c860792876aae59735fdf46d23396fbf3be879e3f16144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
43ecbef6d61ec55397b4b6dd57d43a27

SHA1
fa82b80141ae95f5c0dfbb753ebc23f73d64b567

SHA256
ae89db40d05546b7fe1be4d73beab7de4dee0c051c81782efe69d78969cba7a1

SHA512
1175ce64190a6d0de1fe00068034cf9461e1066067dab96156a00da19c3d227d6a18fde276a4b09ee4ef646ed0cddf873254f616a103cf8ddf2765199af27f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
10178e9e20fdb7016b0c75166421a461

SHA1
37eab46fc92d6007c073b52b326c5b50f75d8f3c

SHA256
f628724802c725e148ce2d64ad9de071c9f57ef59e794dfdeda23379767fe90f

SHA512
a6cba39f3e8363c684c5082542b7955f42db084c32061d708125ec983e06b083423b0c0434dae377c9f7ab00ba8ba3d6e5f2de6f52252ea5dcef4659c3d285cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d94c6f77f2d169f916b87e478846588

SHA1
77b1a0193cde6db9497cd57b8e67d72d5fec93a4

SHA256
7dbe20c7dbb7fc864f72f97c4f5b85e5cbc35a991fbb500c4eb25383df178ddc

SHA512
6a006b40d9cc82079acc9501f5216e73952f05897f1b3c6ccf250fa774fd6a11865e39d7d95a7fb89e35ba99cb8594389e3a1250585caef16f2258913260f731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8636833ca364dc250e671f414e1e6707

SHA1
c6dbb9511f7cd9ff8f380171391adcdd331aa05e

SHA256
b7816550876e35d98c188b961b32ace75faa333ee4d3d90dcb36e293e1514a7c

SHA512
302038758639a2861976ce8d665021f6c58bde73b853c59c882b7857b414d204446e5d17eea7b5af6965d18266a6a8848b5d980286c01c2e76370df2f937f0f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b834.TMP

Filesize
48B

MD5
836bf9a91cf0a536d5f5e723e144364c

SHA1
4eaf041216b62bab69b5efaf60371d363832f4bd

SHA256
7cb21ab55eefb2428474b49a4a0d5c86b5a2f8fe8a460778880b6b558a5a0979

SHA512
6756d288d0e8a61b4d004c0fac7ec760dda0c99af889140d2c727864cd77f6ff0d1c1efb6f04a01c59234e8d17492672e2bd5cb611548c043e32d0c1dabad48b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
a94c896d7566a9a0362b4055327f334d

SHA1
48a82d9759fd7eb4dc10419b1082f25e4d9c9cbc

SHA256
836b3d447e9484e66d9e2ffaad4eb7c727a291663df8363cfab16d23deab5165

SHA512
85d9a121bea8270f2c6c9cb495604a0e42331392446bd265f61c416322a940ee4a27e83c12de54cb02f1429498782b999af92462fc0dc160fdb52055dfd5d3b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
8a25868b7b184f78eef14eb554103694

SHA1
c202e8995001914650be40cc93ed336e5b8619bf

SHA256
db731430e14389ca8c8105631d8cf1dfe4e0ef44363b97a29e0a21a276ceb330

SHA512
1e159e8f897a45a27b17704111801fc1a712614676c9c6f0cdd2ca8d213e732e9cfb0bf083df9094c06d404f3bf52e406a69183b0c96ad0fe46d1e5b5fbbf9c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57af1c.TMP

Filesize
93KB

MD5
b629682b01eef4982f381f2f51f7c203

SHA1
136f146da3037b9881cffc7723d958be3b24b601

SHA256
8dc2a849c3f6b3ef1f525a999f376face7a20c3522d171f65ca35905e30518d7

SHA512
d2fb47ee22a5640857b06008327488322d18c79c542db339d50af7042024182c3f094b2ddb7e72b75d6383e7e80bc5a0e6ea50a80a054b020ef36d0d68b4bd33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1312_KPFYLIVIGFJDCNFO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1392-185-0x00007FFF9B260000-0x00007FFF9B261000-memory.dmp

Filesize
4KB

Download
memory/1392-186-0x00007FFF9BBC0000-0x00007FFF9BBC1000-memory.dmp

Filesize
4KB

Download
memory/2452-121-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2452-127-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2452-126-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2452-125-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2452-122-0x0000000008E90000-0x000000000E807000-memory.dmp

Filesize
89.5MB

Download
memory/2452-123-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/4384-139-0x00007FFF9C1E0000-0x00007FFF9C1E1000-memory.dmp

Filesize
4KB

Download