hxxps://cdn[.]discordapp[.]com/attachments/1231440804208312402/1231440887524098109/Krampus[.]exe?ex=6636f7b2&is=662482b2&hm=072248e040c57d6f50f4ca9d0edc0521a56014940da22fafd562acef7e2e9afd&

Resubmissions

21/04/2024, 03:24

240421-dx26csaa41 8

21/04/2024, 03:09

240421-dnskkahd76 8

Analysis

max time kernel
35s
max time network
36s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2024, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1231440804208312402/1231440887524098109/Krampus.exe?ex=6636f7b2&is=662482b2&hm=072248e040c57d6f50f4ca9d0edc0521a56014940da22fafd562acef7e2e9afd&

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3600	Krampus.exe
492	Krampus.exe

Loads dropped DLL 17 IoCs

pid	Process
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe
492	Krampus.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002aa59-140.dat	upx
behavioral1/memory/492-144-0x00007FF8C5670000-0x00007FF8C5ADE000-memory.dmp	upx
behavioral1/files/0x000100000002aa4c-147.dat	upx
behavioral1/files/0x000100000002aa57-148.dat	upx
behavioral1/memory/492-166-0x00007FF8D9170000-0x00007FF8D9194000-memory.dmp	upx
behavioral1/memory/492-167-0x00007FF8DBDF0000-0x00007FF8DBDFF000-memory.dmp	upx
behavioral1/files/0x000100000002aa53-165.dat	upx
behavioral1/files/0x000100000002aa52-164.dat	upx
behavioral1/files/0x000100000002aa51-163.dat	upx
behavioral1/files/0x000100000002aa50-162.dat	upx
behavioral1/files/0x000100000002aa4f-161.dat	upx
behavioral1/files/0x000100000002aa4e-160.dat	upx
behavioral1/files/0x000100000002aa4d-159.dat	upx
behavioral1/files/0x000100000002aa4b-158.dat	upx
behavioral1/files/0x000100000002aa5e-157.dat	upx
behavioral1/files/0x000100000002aa5d-156.dat	upx
behavioral1/files/0x000100000002aa5c-155.dat	upx
behavioral1/files/0x000100000002aa58-152.dat	upx
behavioral1/files/0x000100000002aa56-151.dat	upx
behavioral1/memory/492-173-0x00007FF8D9040000-0x00007FF8D906D000-memory.dmp	upx
behavioral1/memory/492-180-0x00007FF8C54F0000-0x00007FF8C5661000-memory.dmp	upx
behavioral1/memory/492-177-0x00007FF8D8D00000-0x00007FF8D8D1F000-memory.dmp	upx
behavioral1/memory/492-185-0x00007FF8D9000000-0x00007FF8D900D000-memory.dmp	upx
behavioral1/memory/492-186-0x00007FF8D7F40000-0x00007FF8D7F6E000-memory.dmp	upx
behavioral1/memory/492-191-0x00007FF8C4E20000-0x00007FF8C5195000-memory.dmp	upx
behavioral1/memory/492-187-0x00007FF8D3FC0000-0x00007FF8D4078000-memory.dmp	upx
behavioral1/memory/492-193-0x00007FF8D8CF0000-0x00007FF8D8CFD000-memory.dmp	upx
behavioral1/memory/492-194-0x00007FF8D8F70000-0x00007FF8D8F89000-memory.dmp	upx
behavioral1/memory/492-195-0x00007FF8D81F0000-0x00007FF8D8209000-memory.dmp	upx
behavioral1/memory/492-196-0x00007FF8D81D0000-0x00007FF8D81E4000-memory.dmp	upx
behavioral1/memory/492-197-0x00007FF8C53D0000-0x00007FF8C54E8000-memory.dmp	upx
behavioral1/memory/492-233-0x00007FF8C5670000-0x00007FF8C5ADE000-memory.dmp	upx
behavioral1/memory/492-234-0x00007FF8D9170000-0x00007FF8D9194000-memory.dmp	upx
behavioral1/memory/492-235-0x00007FF8DBDF0000-0x00007FF8DBDFF000-memory.dmp	upx
behavioral1/memory/492-236-0x00007FF8D9040000-0x00007FF8D906D000-memory.dmp	upx
behavioral1/memory/492-237-0x00007FF8D8F70000-0x00007FF8D8F89000-memory.dmp	upx
behavioral1/memory/492-239-0x00007FF8C54F0000-0x00007FF8C5661000-memory.dmp	upx
behavioral1/memory/492-238-0x00007FF8D8D00000-0x00007FF8D8D1F000-memory.dmp	upx
behavioral1/memory/492-240-0x00007FF8D81F0000-0x00007FF8D8209000-memory.dmp	upx
behavioral1/memory/492-241-0x00007FF8D9000000-0x00007FF8D900D000-memory.dmp	upx
behavioral1/memory/492-242-0x00007FF8D7F40000-0x00007FF8D7F6E000-memory.dmp	upx
behavioral1/memory/492-243-0x00007FF8D3FC0000-0x00007FF8D4078000-memory.dmp	upx
behavioral1/memory/492-244-0x00007FF8C4E20000-0x00007FF8C5195000-memory.dmp	upx
behavioral1/memory/492-245-0x00007FF8D81D0000-0x00007FF8D81E4000-memory.dmp	upx
behavioral1/memory/492-246-0x00007FF8D8CF0000-0x00007FF8D8CFD000-memory.dmp	upx
behavioral1/memory/492-247-0x00007FF8C53D0000-0x00007FF8C54E8000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1488	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 820712.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krampus.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
3588	msedge.exe
3588	msedge.exe
3592	identity_helper.exe
3592	identity_helper.exe
2260	msedge.exe
2260	msedge.exe
3720	powershell.exe
3720	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
3720	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2540	WMIC.exe
Token: SeSecurityPrivilege	2540	WMIC.exe
Token: SeTakeOwnershipPrivilege	2540	WMIC.exe
Token: SeLoadDriverPrivilege	2540	WMIC.exe
Token: SeSystemProfilePrivilege	2540	WMIC.exe
Token: SeSystemtimePrivilege	2540	WMIC.exe
Token: SeProfSingleProcessPrivilege	2540	WMIC.exe
Token: SeIncBasePriorityPrivilege	2540	WMIC.exe
Token: SeCreatePagefilePrivilege	2540	WMIC.exe
Token: SeBackupPrivilege	2540	WMIC.exe
Token: SeRestorePrivilege	2540	WMIC.exe
Token: SeShutdownPrivilege	2540	WMIC.exe
Token: SeDebugPrivilege	2540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2540	WMIC.exe
Token: SeRemoteShutdownPrivilege	2540	WMIC.exe
Token: SeUndockPrivilege	2540	WMIC.exe
Token: SeManageVolumePrivilege	2540	WMIC.exe
Token: 33	2540	WMIC.exe
Token: 34	2540	WMIC.exe
Token: 35	2540	WMIC.exe
Token: 36	2540	WMIC.exe
Token: SeDebugPrivilege	1488	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2540	WMIC.exe
Token: SeSecurityPrivilege	2540	WMIC.exe
Token: SeTakeOwnershipPrivilege	2540	WMIC.exe
Token: SeLoadDriverPrivilege	2540	WMIC.exe
Token: SeSystemProfilePrivilege	2540	WMIC.exe
Token: SeSystemtimePrivilege	2540	WMIC.exe
Token: SeProfSingleProcessPrivilege	2540	WMIC.exe
Token: SeIncBasePriorityPrivilege	2540	WMIC.exe
Token: SeCreatePagefilePrivilege	2540	WMIC.exe
Token: SeBackupPrivilege	2540	WMIC.exe
Token: SeRestorePrivilege	2540	WMIC.exe
Token: SeShutdownPrivilege	2540	WMIC.exe
Token: SeDebugPrivilege	2540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2540	WMIC.exe
Token: SeRemoteShutdownPrivilege	2540	WMIC.exe
Token: SeUndockPrivilege	2540	WMIC.exe
Token: SeManageVolumePrivilege	2540	WMIC.exe
Token: 33	2540	WMIC.exe
Token: 34	2540	WMIC.exe
Token: 35	2540	WMIC.exe
Token: 36	2540	WMIC.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2044	5024	msedge.exe	79
PID 5024 wrote to memory of 2044	5024	msedge.exe	79
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 2644	5024	msedge.exe	80
PID 5024 wrote to memory of 4816	5024	msedge.exe	81
PID 5024 wrote to memory of 4816	5024	msedge.exe	81
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82
PID 5024 wrote to memory of 3896	5024	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1231440804208312402/1231440887524098109/Krampus.exe?ex=6636f7b2&is=662482b2&hm=072248e040c57d6f50f4ca9d0edc0521a56014940da22fafd562acef7e2e9afd&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d86f3cb8,0x7ff8d86f3cc8,0x7ff8d86f3cd8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,16211362501211652236,13010723163713541910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Users\Admin\Downloads\Krampus.exe
  "C:\Users\Admin\Downloads\Krampus.exe"
  2⤵
  - Executes dropped EXE
  PID:3600
- - C:\Users\Admin\Downloads\Krampus.exe
    "C:\Users\Admin\Downloads\Krampus.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Krampus.exe'"
      4⤵
      PID:1280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Krampus.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:4948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Sdk: Data base Not Found', 0, '[Startup Error]', 0+16);close()""
      4⤵
      PID:3040
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Sdk: Data base Not Found', 0, '[Startup Error]', 0+16);close()"
        5⤵
        
        PID:2664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3220
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1616
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54caf18c2cda579e0dad6a9fc5179562

SHA1
357d25de14903392900d034e37f5918b522e17c9

SHA256
28d77529de92eb605d8afee0e133a7d08e13d4386e5e38d63e2da34623eaad6b

SHA512
88da5a33df9d82408afb8344ec7dbaf7686435fdb55eccfb85d5560f39861e84cef5d71949d5efe7a191778e6be755a8448f3fc3d7043007037f9f5227e10210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
696ffba7b83ecf008523e96918f200d9

SHA1
970d90e22c8b3674fc33cdd1913c51ef28514255

SHA256
dc6dacd725d7385b2e4db1f488d93f2840d2289efdaaf3737849304d1ab9ba34

SHA512
f8528683b70b58376f3eba3338fa6b462c9e9248c72524573005cff6397a0556bdcc2fdc2ebb020ba8218bc8174ba552002f223a245dfe3d3688826d24d63237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0b087e9f5340f72361fdc883c401fdd2

SHA1
438e725de9645a743b748713943420a8250dac56

SHA256
de29577d389fc187c13a0704acec7e846650853667c1bc234f093488b4baaf1a

SHA512
65ccfbf874c21b279fb0ea1ca72048f1ea4b08d5b486ef2a7a36d5b104cb3f4f1d6968b051f14b8361042bf23c0e1ed6aff289c57f1eea717c00242f10440278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93fa8711905566ff6a8f42232cc8ba9d

SHA1
0f374d6920ebefa09254e22d1bfb3553b7798d4e

SHA256
13dc103ac3dce938e082411cac024f9e4eb11e68925eb0e4588a505e010cae39

SHA512
76a95c013a970600fa0d01a5a1c5e7196c0febe10a9687d0c7495be7640fd1a877cd5bbab92cfeb282c7f67589d0b5028735148c5fe424b10c937128170b4cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd19a6c97b7a8da91b73d6b52f887aa6

SHA1
19293ea0fa752943a1aa52fde12a94b123ae4edf

SHA256
b54b252b06dc98618e6c8ae529d2993831803bab2dee185a605451be0eb14be2

SHA512
c3db008bb9cd6d60ec48143b666895f514fc0e4ae8842fe87cc75ec0a0221d077fe5cfeddf3a34976687d9bfad6e9c650f30883331ccbe086830fa7f0b6dcd25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
49859aa5e714d31b44c1b4276b5052ec

SHA1
c388c6d090121cebe7f59cff59ff3844117a49aa

SHA256
bb08fb033374f4650589642ef560ad5c1b839be37ca5e449bbf96ac7dbec4e9c

SHA512
1d6c9a5dfedbe8c4b595e45e7a72dc33eecf4214874b65c4a41565017237a8dffe6c0d3757754a323172c7356ebffa15554fb287d9a58b1866a5bd07d6031b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\base_library.zip

Filesize
859KB

MD5
6d649e03da81ff46a818ab6ee74e27e2

SHA1
90abc7195d2d98bac836dcc05daab68747770a49

SHA256
afede0c40e05ce5a50ff541b074d878b07753b7c1b21d15f69d17f66101ba8fd

SHA512
e39621c9a63c9c72616ae1f960e928ad4e7bad57bfb5172b296a7cc49e8b8e873be44247a475e7e1ded6bc7e17aa351397cdeb40841258e75193586f4649d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\blank.aes

Filesize
71KB

MD5
1df6e2b94a8b60e82aba7e29ca4e551f

SHA1
f740ff9bea5e19545cc22be4daab55a21ab48b55

SHA256
671455b2833d02af749d8199555e6bcda5ea790e191bdc0699b89676c32bcdf1

SHA512
dd6be45e4451906eda269a6ba8c9170dc171bd6d2841a72afc0c8c18c1ece5db244aedc926120af15e678a95d6a24d1102192b4181de8bd9d3fc15ca699a0d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\blank.aes

Filesize
71KB

MD5
7591759d4dcccc7c5fc902bdfb1e8515

SHA1
db6daab6094cecf128a833c46f8de8250f23cb01

SHA256
bc8a13dd69520e2fc1a29d0ad3c0ab8a8bea0f0874f6091c64f0d1a9df381aaa

SHA512
3d587c3a41f38141416c5cb1bda9eaf7bad1e6483f23a0270754abb77a1888862c8d70e500a271401b4ac59723629b7d0cc783068da778192a8a0c07a14b1f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36002\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fliju2yd.u1z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Krampus.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 820712.crdownload

Filesize
6.0MB

MD5
2a871625ee598f088dfee42a8d46a5f8

SHA1
7bffb0122a7f97f834ba3137e4c60c5b72c87c55

SHA256
bcae0c27f2bfbe03c43e236b0f1ce3d6dcb6868fd2c74cec335316ea97b10ee1

SHA512
2b860ba408549b3a0ec839ec7d1f5b02a3896af51787ea1cc54c8ba304e5a6c52e0b8d75e1f1297e470701a4976e745b0008829b5658d90bf42ac91f2559cc9c

Download Submit
memory/492-186-0x00007FF8D7F40000-0x00007FF8D7F6E000-memory.dmp

Filesize
184KB

Download
memory/492-236-0x00007FF8D9040000-0x00007FF8D906D000-memory.dmp

Filesize
180KB

Download
memory/492-185-0x00007FF8D9000000-0x00007FF8D900D000-memory.dmp

Filesize
52KB

Download
memory/492-180-0x00007FF8C54F0000-0x00007FF8C5661000-memory.dmp

Filesize
1.4MB

Download
memory/492-191-0x00007FF8C4E20000-0x00007FF8C5195000-memory.dmp

Filesize
3.5MB

Download
memory/492-192-0x00000212D2F90000-0x00000212D3305000-memory.dmp

Filesize
3.5MB

Download
memory/492-187-0x00007FF8D3FC0000-0x00007FF8D4078000-memory.dmp

Filesize
736KB

Download
memory/492-193-0x00007FF8D8CF0000-0x00007FF8D8CFD000-memory.dmp

Filesize
52KB

Download
memory/492-194-0x00007FF8D8F70000-0x00007FF8D8F89000-memory.dmp

Filesize
100KB

Download
memory/492-195-0x00007FF8D81F0000-0x00007FF8D8209000-memory.dmp

Filesize
100KB

Download
memory/492-196-0x00007FF8D81D0000-0x00007FF8D81E4000-memory.dmp

Filesize
80KB

Download
memory/492-197-0x00007FF8C53D0000-0x00007FF8C54E8000-memory.dmp

Filesize
1.1MB

Download
memory/492-144-0x00007FF8C5670000-0x00007FF8C5ADE000-memory.dmp

Filesize
4.4MB

Download
memory/492-173-0x00007FF8D9040000-0x00007FF8D906D000-memory.dmp

Filesize
180KB

Download
memory/492-247-0x00007FF8C53D0000-0x00007FF8C54E8000-memory.dmp

Filesize
1.1MB

Download
memory/492-246-0x00007FF8D8CF0000-0x00007FF8D8CFD000-memory.dmp

Filesize
52KB

Download
memory/492-245-0x00007FF8D81D0000-0x00007FF8D81E4000-memory.dmp

Filesize
80KB

Download
memory/492-244-0x00007FF8C4E20000-0x00007FF8C5195000-memory.dmp

Filesize
3.5MB

Download
memory/492-243-0x00007FF8D3FC0000-0x00007FF8D4078000-memory.dmp

Filesize
736KB

Download
memory/492-242-0x00007FF8D7F40000-0x00007FF8D7F6E000-memory.dmp

Filesize
184KB

Download
memory/492-241-0x00007FF8D9000000-0x00007FF8D900D000-memory.dmp

Filesize
52KB

Download
memory/492-240-0x00007FF8D81F0000-0x00007FF8D8209000-memory.dmp

Filesize
100KB

Download
memory/492-238-0x00007FF8D8D00000-0x00007FF8D8D1F000-memory.dmp

Filesize
124KB

Download
memory/492-239-0x00007FF8C54F0000-0x00007FF8C5661000-memory.dmp

Filesize
1.4MB

Download
memory/492-167-0x00007FF8DBDF0000-0x00007FF8DBDFF000-memory.dmp

Filesize
60KB

Download
memory/492-166-0x00007FF8D9170000-0x00007FF8D9194000-memory.dmp

Filesize
144KB

Download
memory/492-237-0x00007FF8D8F70000-0x00007FF8D8F89000-memory.dmp

Filesize
100KB

Download
memory/492-177-0x00007FF8D8D00000-0x00007FF8D8D1F000-memory.dmp

Filesize
124KB

Download
memory/492-233-0x00007FF8C5670000-0x00007FF8C5ADE000-memory.dmp

Filesize
4.4MB

Download
memory/492-234-0x00007FF8D9170000-0x00007FF8D9194000-memory.dmp

Filesize
144KB

Download
memory/492-235-0x00007FF8DBDF0000-0x00007FF8DBDFF000-memory.dmp

Filesize
60KB

Download
memory/3720-220-0x000001FAC8650000-0x000001FAC8660000-memory.dmp

Filesize
64KB

Download
memory/3720-232-0x00007FF8C4350000-0x00007FF8C4E12000-memory.dmp

Filesize
10.8MB

Download
memory/3720-225-0x000001FAC8650000-0x000001FAC8660000-memory.dmp

Filesize
64KB

Download
memory/3720-203-0x000001FAE0CA0000-0x000001FAE0CC2000-memory.dmp

Filesize
136KB

Download
memory/3720-223-0x000001FAC8650000-0x000001FAC8660000-memory.dmp

Filesize
64KB

Download
memory/3720-218-0x00007FF8C4350000-0x00007FF8C4E12000-memory.dmp

Filesize
10.8MB

Download
memory/3720-219-0x000001FAC8650000-0x000001FAC8660000-memory.dmp

Filesize
64KB

Download
memory/4468-224-0x000001AED34B0000-0x000001AED34C0000-memory.dmp

Filesize
64KB

Download
memory/4468-222-0x000001AED34B0000-0x000001AED34C0000-memory.dmp

Filesize
64KB

Download
memory/4468-221-0x000001AED34B0000-0x000001AED34C0000-memory.dmp

Filesize
64KB

Download
memory/4468-208-0x000001AED34B0000-0x000001AED34C0000-memory.dmp

Filesize
64KB

Download
memory/4468-207-0x00007FF8C4350000-0x00007FF8C4E12000-memory.dmp

Filesize
10.8MB

Download
memory/4468-231-0x00007FF8C4350000-0x00007FF8C4E12000-memory.dmp

Filesize
10.8MB

Download