03351bca89c7d7ea84d830cb33667f7303b54fbbbd075873bf4977731a8a1a7c

Analysis

max time kernel
151s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
19-06-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CampPinecrest.exe
Size

154.6MB
MD5

90c6a23773f49c855e3a699ec1e8e41a
SHA1

8f807dc81f82ddec7e2268731b51cf2a7ce8355b
SHA256

5c17d584b30185edc3a20e5cc04fa3e40fa39656081f49b6298846012071ec3e
SHA512

6f7eb32a45bf8df737289ddd4d844dbec5ec44c5799c12382e579ab9e96db949b7dada2e0fb22f85163a32d3e9f0639250bdbc4ef86e9d9537f00ebb5b7a144a
SSDEEP

1572864:uTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:pv6E70+Mk

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4580	CampPinecrest.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
1680	cmd.exe
2944	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4284	tasklist.exe
2316	tasklist.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2060	powershell.exe
2060	powershell.exe
2136	powershell.exe
2136	powershell.exe
4092	powershell.exe
4092	powershell.exe
4056	CampPinecrest.exe
4056	CampPinecrest.exe
1556	CampPinecrest.exe
1556	CampPinecrest.exe
1556	CampPinecrest.exe
1556	CampPinecrest.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	tasklist.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2316	tasklist.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe
Token: 35	2324	WMIC.exe
Token: 36	2324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe
Token: 35	2324	WMIC.exe
Token: 36	2324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4204	4580	CampPinecrest.exe	78
PID 4580 wrote to memory of 4204	4580	CampPinecrest.exe	78
PID 4580 wrote to memory of 4452	4580	CampPinecrest.exe	80
PID 4580 wrote to memory of 4452	4580	CampPinecrest.exe	80
PID 4452 wrote to memory of 4284	4452	cmd.exe	82
PID 4452 wrote to memory of 4284	4452	cmd.exe	82
PID 4204 wrote to memory of 2060	4204	cmd.exe	83
PID 4204 wrote to memory of 2060	4204	cmd.exe	83
PID 4580 wrote to memory of 3060	4580	CampPinecrest.exe	85
PID 4580 wrote to memory of 3060	4580	CampPinecrest.exe	85
PID 4580 wrote to memory of 1680	4580	CampPinecrest.exe	87
PID 4580 wrote to memory of 1680	4580	CampPinecrest.exe	87
PID 3060 wrote to memory of 2316	3060	cmd.exe	89
PID 3060 wrote to memory of 2316	3060	cmd.exe	89
PID 1680 wrote to memory of 2136	1680	cmd.exe	90
PID 1680 wrote to memory of 2136	1680	cmd.exe	90
PID 4580 wrote to memory of 2944	4580	CampPinecrest.exe	91
PID 4580 wrote to memory of 2944	4580	CampPinecrest.exe	91
PID 2944 wrote to memory of 4092	2944	cmd.exe	93
PID 2944 wrote to memory of 4092	2944	cmd.exe	93
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 448	4580	CampPinecrest.exe	94
PID 4580 wrote to memory of 1492	4580	CampPinecrest.exe	95
PID 4580 wrote to memory of 1492	4580	CampPinecrest.exe	95
PID 4580 wrote to memory of 4056	4580	CampPinecrest.exe	96
PID 4580 wrote to memory of 4056	4580	CampPinecrest.exe	96
PID 1492 wrote to memory of 2324	1492	cmd.exe	98
PID 1492 wrote to memory of 2324	1492	cmd.exe	98
PID 4580 wrote to memory of 4984	4580	CampPinecrest.exe	99
PID 4580 wrote to memory of 4984	4580	CampPinecrest.exe	99
PID 4984 wrote to memory of 3000	4984	cmd.exe	101
PID 4984 wrote to memory of 3000	4984	cmd.exe	101
PID 4580 wrote to memory of 2304	4580	CampPinecrest.exe	102
PID 4580 wrote to memory of 2304	4580	CampPinecrest.exe	102
PID 2304 wrote to memory of 4460	2304	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe
"C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,156,145,177,22,49,87,182,246,181,239,136,151,196,194,222,150,156,83,117,13,197,27,239,204,239,4,239,124,182,130,186,59,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,70,119,208,213,67,152,61,239,184,191,77,72,18,165,228,117,148,72,4,73,222,1,177,125,201,26,198,36,143,215,63,48,0,0,0,234,75,24,187,54,18,74,138,222,45,103,111,194,148,182,185,193,201,14,160,45,72,22,66,207,12,223,36,170,254,248,29,130,76,62,60,194,135,72,135,123,188,161,161,230,199,157,59,64,0,0,0,96,23,145,250,147,31,1,128,61,138,215,90,139,172,122,33,156,152,240,61,210,151,12,32,118,17,130,25,142,234,25,177,44,180,238,127,225,24,209,92,91,129,162,84,33,154,45,4,63,167,227,152,143,48,38,72,34,11,254,65,42,233,205,152), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,156,145,177,22,49,87,182,246,181,239,136,151,196,194,222,150,156,83,117,13,197,27,239,204,239,4,239,124,182,130,186,59,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,70,119,208,213,67,152,61,239,184,191,77,72,18,165,228,117,148,72,4,73,222,1,177,125,201,26,198,36,143,215,63,48,0,0,0,234,75,24,187,54,18,74,138,222,45,103,111,194,148,182,185,193,201,14,160,45,72,22,66,207,12,223,36,170,254,248,29,130,76,62,60,194,135,72,135,123,188,161,161,230,199,157,59,64,0,0,0,96,23,145,250,147,31,1,128,61,138,215,90,139,172,122,33,156,152,240,61,210,151,12,32,118,17,130,25,142,234,25,177,44,180,238,127,225,24,209,92,91,129,162,84,33,154,45,4,63,167,227,152,143,48,38,72,34,11,254,65,42,233,205,152), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,228,10,115,103,22,183,210,38,40,50,13,146,95,130,70,82,117,210,39,116,255,113,254,200,204,180,155,254,218,120,238,92,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,211,90,143,79,233,109,49,253,39,186,10,211,190,41,141,28,209,159,136,34,170,181,204,135,232,48,84,233,38,237,148,48,0,0,0,4,116,76,23,118,185,38,240,36,181,38,222,22,198,80,248,253,57,90,197,154,222,5,91,192,208,90,235,183,154,85,142,157,163,92,175,82,247,64,11,135,116,153,33,127,226,24,116,64,0,0,0,218,205,69,72,34,222,225,189,121,165,103,7,73,192,7,120,240,245,68,200,29,84,225,60,12,33,248,33,247,195,91,195,136,46,221,183,208,234,58,247,1,219,195,58,69,188,121,59,114,40,186,129,248,81,86,56,241,79,159,219,41,32,41,19), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,228,10,115,103,22,183,210,38,40,50,13,146,95,130,70,82,117,210,39,116,255,113,254,200,204,180,155,254,218,120,238,92,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,211,90,143,79,233,109,49,253,39,186,10,211,190,41,141,28,209,159,136,34,170,181,204,135,232,48,84,233,38,237,148,48,0,0,0,4,116,76,23,118,185,38,240,36,181,38,222,22,198,80,248,253,57,90,197,154,222,5,91,192,208,90,235,183,154,85,142,157,163,92,175,82,247,64,11,135,116,153,33,127,226,24,116,64,0,0,0,218,205,69,72,34,222,225,189,121,165,103,7,73,192,7,120,240,245,68,200,29,84,225,60,12,33,248,33,247,195,91,195,136,46,221,183,208,234,58,247,1,219,195,58,69,188,121,59,114,40,186,129,248,81,86,56,241,79,159,219,41,32,41,19), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe
  "C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\CampPinecrest" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1904,i,15554420747727569432,293266500541115686,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe
  "C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\CampPinecrest" --mojo-platform-channel-handle=1232 --field-trial-handle=1904,i,15554420747727569432,293266500541115686,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get ProcessorId
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get Product
    3⤵
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"
  2⤵
  PID:1980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get SerialNumber
    3⤵
    PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
  2⤵
  PID:1584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption
    3⤵
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"
  2⤵
  PID:2928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get TotalPhysicalMemory
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"
  2⤵
  PID:1056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_videocontroller get caption,PNPDeviceID
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"
  2⤵
  PID:5044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get SerialNumber
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:4644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2252
- C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe
  "C:\Users\Admin\AppData\Local\Temp\CampPinecrest.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\CampPinecrest" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1904,i,15554420747727569432,293266500541115686,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f4af71653365c849f80f9300cdd4722b

SHA1
464e9bfbc2cf266ad93ab70c1132a09d2cb51c94

SHA256
585b3fc56e040a5d00a63137c9ef57c2bd43cc477944f749c34f4849e0995c00

SHA512
7bcda75518c5bf23eb095b11f10ce3915e2ceb744bd9123713ba162098f87729d94b6281591df9e1f187b4aecad8efe3ecb03d98842d0a72e1944af3d9efd5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ff70fd7-e074-4078-a0bb-7ac7aa70f4fa.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\All\System\PcInformation.txt

Filesize
477B

MD5
e7a91559cf50c1884a57aa05e2fce6de

SHA1
cf87b8510114986e5329a748a91b685cfd102dd8

SHA256
cfd66d25fad82157842a14e12c9e50fb9e62cbd35bb5ae61f99e1d06d1c58a6c

SHA512
1874985770c71ff878921e572267a8eaeaab301b64d2139924039bd2d0949cb261dd87cf623a3573faa33afe7d692ed772522ee8902bfef77d75d2225bce08c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passwords.txt

Filesize
14B

MD5
b4b41665eb819824e886204a28cc610b

SHA1
e778edb6f635f665c0b512748b8fec6a2a23a88b

SHA256
635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6

SHA512
37648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roe1bgea.rsp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1556-118-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-106-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-108-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-107-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-112-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-114-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-116-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-115-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-113-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/1556-117-0x00000207EAD30000-0x00000207EAD31000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x0000024C4D700000-0x0000024C4D722000-memory.dmp

Filesize
136KB

Download
memory/2136-28-0x000002C6DDDA0000-0x000002C6DDDF0000-memory.dmp

Filesize
320KB

Download