d3b861fab82e305bc0ed504731aa44fbe4717ef1536c7e7a3049b722d95e4c12

Analysis

max time kernel
101s
max time network
89s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
07-05-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krampus/krampus/Loader5.4.exe
Size

5.4MB
MD5

852ac135a3723323566a0c226128913e
SHA1

49bfbcf275e5cbdc1bb838bd497fb5a32727c2a1
SHA256

07f15b10ba58970acf83de539bc55c726c1cab3c6ee872d4172a1070c983e306
SHA512

c0928b9de4c2b8bea188dc1ebbecc76000f3e2aff29fe450ec88de5d28764272f2692e48c761e27113a9617f0210cf9a50cf8c44087a140dcad3f8ace65b4a2c
SSDEEP

49152:dXBlVZgljh/jCY7894a1DTMqX/akC6lXVkjU9jD5EHsho/CSymeI7++k604TxNB/:5FlY7AgoC6l/Ert7BLQecp

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3232	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595337227721921"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Loader5.4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Loader5.4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Loader5.4.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3232	powershell.exe
3232	powershell.exe
3952	chrome.exe
3952	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3232	1396	Loader5.4.exe	79
PID 1396 wrote to memory of 3232	1396	Loader5.4.exe	79
PID 3952 wrote to memory of 1160	3952	chrome.exe	85
PID 3952 wrote to memory of 1160	3952	chrome.exe	85
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 3000	3952	chrome.exe	86
PID 3952 wrote to memory of 4956	3952	chrome.exe	87
PID 3952 wrote to memory of 4956	3952	chrome.exe	87
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88
PID 3952 wrote to memory of 408	3952	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\krampus\krampus\Loader5.4.exe
"C:\Users\Admin\AppData\Local\Temp\krampus\krampus\Loader5.4.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\\\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6b3acc40,0x7ffe6b3acc4c,0x7ffe6b3acc58
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3116,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3712,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4392,i,7866946000479066099,16448879260987617435,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:3624

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
852bcefa7f0895671900573aa36c2aae

SHA1
4ea457e443f6736915cff43a6735fe1883115ddd

SHA256
3860f9164b432f0c586ed11382ed7861e6e3c56a0e61d55795dea6c6e541d1e7

SHA512
ac7d3b846eb8b799038176c8e627b53df263fde9e6f4e692c295b5aa42b61229bac965a7b8e51be173a68473dbfc378869721172de1f83f4c33717a5b829e943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
973edc8a19132f8a01af1118ebd2b820

SHA1
d59cb65da02316627e560ea44536c6ee7232ba16

SHA256
05fa0ed20a6cb9bf03c34c2caed55e22e8c2916d9b9467a02eeb02f5a10c331e

SHA512
c33bdd016ced8df3730855d857aaf3a1ff376d82a6299f0c7616142b51e7e7a6cba0359a0df5793c4f9401ebdbfeca9a69e21993ca239d8434acfd0295bcd731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9fed8906319efcd8a5a3440d900ba488

SHA1
0fb91149840be166637dc1a8acd55dcc521c5592

SHA256
280167fb6821a24b5371a33423c54fc07c8f2914e8734e3779ead62353876d38

SHA512
9e3a4852042117480daeadff58d88bc1adb51f1d43713f511cd47829394e4f0555512baa170fdbfa2e13413d87db48291fb5bbec5f9737c415fc63eba9a884ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b08d5bb15ddb8bd2210880471f9dbaba

SHA1
64a08a6bb045171ac413b1ecd9ca0ef97834dc72

SHA256
5cdff4608beb2015579c9f990bf144238b3f89ee53947e11fd18a5f8f132f454

SHA512
cf228d4c164366679abdd325e12a407104797bd3b8f4993016aa193fc5c43eb98119497a6cd9451e1cd88217e9f18caddb51c35e4586e30f9bf93fe2ef6de0f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
401cc4a578b201804c664fc5ede9b111

SHA1
f0e55ead5c85d69cea7efbb903a35bb39ab96078

SHA256
4e9a6aff76e0934ecf42ea11187a215284b8dabf734278833c8cd5364f419a09

SHA512
5a3fc864fcf77c2a45a030a84ca22a080d7f4316081de5c8db004ec1b694577c2727c997162e5dda9667915e888fe8bfdd2cd8bc03d449acf8c3a2b8a0bf4ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3bb285ccbbea242fefe309bd1a5bb9a

SHA1
80cdf67e73bacc55898b5c40abe08c5c5b56198c

SHA256
4718649c186c658658a961f8cca488ff77045e150819e293b1cbaa2d5d957f69

SHA512
c6d25fc5b8da38779a8551802c2c9a847e2ae5e25c7b2b00e8732e2843f58bd7833140c37e18d2c2d3109e609c951ee0dfbdb49751ac52eb71f726c2256a334e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18ebf74537e9b7f55ac671ed7f7cd835

SHA1
f0c326ff4edde6f8e6124f7dbdcd07d17acfb4f1

SHA256
58a37df040844c0f223aad856a931e22cd07407aa88328e90b8fcf4cfb0202db

SHA512
1644676a7e3ebb330567ccb71e19b2fd38cb1f73ad3437925ffbe91f437eadf395cf3ca9d432bfb4e62a32346b46509c2347e4354d4bb85318a04aa47a579343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
983f3dab94fd491b8d3f1e955ac27b22

SHA1
ab4e73fb56111f5a1be7a65a2b674900cf614dc4

SHA256
6a3564a3bedd8b671d9224299a6982b7635e7392d111cec8d84be959be4f2256

SHA512
1c30cef2785edeb79667c82bf3bc45fefd5e0c517523974719feee53b6f321a5edefb5104bf6aad6c886394517e3ec72a8aee6d3f5f9337775a722ac2fac8a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87a382c202d0c692c3889af5e5ae6a71

SHA1
4ec9ec3eff32d217918090ac3e4ddf3448239178

SHA256
aa20cd57c8dfaa9f3c6b6cf0b991e3a056235c7e5c0e93926f5909ce3a9ef85b

SHA512
aed2125c203eea1c3062ba160e3eb6db88fa97be72583113dcda2d185fbbb73d41492e33f8926c9b3aafe69ddd3c9928695841851050afcf76c536d9bf90acc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ad53a7f87ca12ee43605fb62a268e5c7

SHA1
64c6ba06f03bd75015d29e1048590b57a44f2c26

SHA256
bd0d9bf2072f147dbc643688dc2468818c38764ef2f97764fca8c7b0b7270690

SHA512
7a4a2ae737bdd6e8cde5fda39e92ef941b7324dbb13ab7b719a9081021dbff7e877487036c980ce30c334771523ffea4ac71c0740ab54d53b9131922fc8b2cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
62b2939d02cb479386a455796cc3c670

SHA1
d81aa97f8684e0fb631ec5b4f88921f2ba6bbdad

SHA256
85babbd29b3af905e77ea0a9adfc2de6bab2a9fb92d4a8050df758f72b13df79

SHA512
2aee29b2af4cf810d6e1b8a997d9bf8230d7e50417bf9f2824ec78cff3848dfe8eb2c72ebf56eb0d2f25ed4dab3ae43badbbbb1ed1bfc5ea0097e1e2cbeb131c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
1e058f1bd8a0de602083b28aaeec3933

SHA1
3b68cb59173016a93a83b416d8288926173ce5a4

SHA256
e811766446bfabb93ac4f18dfa8a4734d65e7a128a304209c03f22d00ee9fba9

SHA512
a90d4f3ffdd5a1c298ad6e6b3ee11efd64196897b95825f577352bf724b6570128142d5b10dd1a483d508f02f8698b823469c5b539bfdb4e98968e86abecad18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzf0cvx5.vgt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3232-11-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/3232-10-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/3232-9-0x000002186EB50000-0x000002186EB72000-memory.dmp

Filesize
136KB

Download
memory/3232-0-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp

Filesize
8KB

Download
memory/3232-16-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/3232-12-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/3232-15-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download