Analysis
-
max time kernel
75s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:15
Static task
static1
General
-
Target
BaffClient.exe
-
Size
71.4MB
-
MD5
f8147c844df079ca0b4f58906330ba8c
-
SHA1
52e467909fd1936917a86ee2f36a820fd25025fc
-
SHA256
064cd228d36496ffabf693040096d5f4a83ee97929eb0080a62bcb57ec0ede03
-
SHA512
4236c291b625f0d6a3146111fb595bfc025f20ea95f4c2b22e2bdd602f6c461e53af035745a075ef5fd7ee5d26268e98e7313bd78de1ac3e32abef56c3d6696a
-
SSDEEP
786432:ZdyRHFwanoK0du8XOzGbY55kQshmSBaNf6rt:ZdyxSaBL8XGGE55XArt
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exeWScript.exeWindll.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation Windll.exe -
Executes dropped EXE 3 IoCs
Processes:
file.exeWindll.exeRuntimeBroker.exepid process 636 file.exe 3660 Windll.exe 3076 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
Processes:
BaffClient.exeWindll.exedescription ioc process File created C:\Windows\file.exe BaffClient.exe File created C:\Windows\Sun\Java\Deployment\csrss.exe Windll.exe File created C:\Windows\Sun\Java\Deployment\886983d96e3d3e Windll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628085882264861" chrome.exe -
Modifies registry class 2 IoCs
Processes:
file.exeWindll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings file.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings Windll.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windll.exepid process 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe 3660 Windll.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 3076 RuntimeBroker.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Windll.exetaskmgr.exeRuntimeBroker.exechrome.exedescription pid process Token: SeDebugPrivilege 3660 Windll.exe Token: SeDebugPrivilege 1656 taskmgr.exe Token: SeSystemProfilePrivilege 1656 taskmgr.exe Token: SeCreateGlobalPrivilege 1656 taskmgr.exe Token: SeDebugPrivilege 3076 RuntimeBroker.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exechrome.exepid process 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exechrome.exepid process 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
BaffClient.exefile.exeWScript.execmd.exeWindll.execmd.exechrome.exedescription pid process target process PID 4392 wrote to memory of 636 4392 BaffClient.exe file.exe PID 4392 wrote to memory of 636 4392 BaffClient.exe file.exe PID 4392 wrote to memory of 636 4392 BaffClient.exe file.exe PID 636 wrote to memory of 3400 636 file.exe WScript.exe PID 636 wrote to memory of 3400 636 file.exe WScript.exe PID 636 wrote to memory of 3400 636 file.exe WScript.exe PID 3400 wrote to memory of 3556 3400 WScript.exe cmd.exe PID 3400 wrote to memory of 3556 3400 WScript.exe cmd.exe PID 3400 wrote to memory of 3556 3400 WScript.exe cmd.exe PID 3556 wrote to memory of 3660 3556 cmd.exe Windll.exe PID 3556 wrote to memory of 3660 3556 cmd.exe Windll.exe PID 3660 wrote to memory of 3452 3660 Windll.exe cmd.exe PID 3660 wrote to memory of 3452 3660 Windll.exe cmd.exe PID 3452 wrote to memory of 5100 3452 cmd.exe chcp.com PID 3452 wrote to memory of 5100 3452 cmd.exe chcp.com PID 3452 wrote to memory of 4036 3452 cmd.exe w32tm.exe PID 3452 wrote to memory of 4036 3452 cmd.exe w32tm.exe PID 3452 wrote to memory of 3076 3452 cmd.exe RuntimeBroker.exe PID 3452 wrote to memory of 3076 3452 cmd.exe RuntimeBroker.exe PID 1808 wrote to memory of 5112 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5112 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 5024 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 2060 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 2060 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe PID 1808 wrote to memory of 1740 1808 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BaffClient.exe"C:\Users\Admin\AppData\Local\Temp\BaffClient.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\file.exe"C:\Windows\file.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Mshyperagenthostnet\IQPWXTciOzBiF1DeSqwFpjIDV9fjjuHa5fEfx3sqjP5TYoxDCMjnzQn.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Mshyperagenthostnet\HwPkyWu6eqFTNAd0kGzN0uBj4rmg86xS4jMcxsNEx2xITbH.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Mshyperagenthostnet\Windll.exe"C:\Mshyperagenthostnet/Windll.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CpE9VJhpe1.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:5100
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4036
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1656
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6b8fab58,0x7ffc6b8fab68,0x7ffc6b8fab782⤵PID:5112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:22⤵PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:82⤵PID:2060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:82⤵PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:12⤵PID:4028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:12⤵PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4084 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:12⤵PID:3540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:82⤵PID:4752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:82⤵PID:532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:82⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:82⤵PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1800,i,17218197920252114069,18172883333302779721,131072 /prefetch:82⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD502d81622b98711a782bac512a4b6d607
SHA1778ea4853f2ef2ac25b8c07ed09bd2b7433df155
SHA25626a1d2cc4370f14cff81d84b2b602932c46639f6a8b7d3e87746194e1b6b1e0a
SHA512d7b10d076fe4dc9e8e4a3ae4b867ddbbce19a54f2c75f9443cedb0185d0715ebbd873185968d6e78dafc2d48362692233d918e2867808de33b19371ad38a5c3b
-
Filesize
241B
MD5ed0d3e057c717be6c471fdf31fca580c
SHA12c62ce4023ce60a541549815fc2fc202fdf74637
SHA256fb797b3b6d792931d24b3aa0edec4f96e94a14e8ed8a3a27d48b6cc862413aaa
SHA512ed9b8dfca548ed02e0d78042d345bd36864dded9f166ba3221d23ea699b4548494952a1b2838eb2e6eea6f4d521e4140e3455cfbae22ecf8a36d48409c1a2480
-
Filesize
1.9MB
MD51e7b61238c6e240c120664b8c124f361
SHA167840424837a1ca004d6e3a9a775640d8fce85bd
SHA2568e2c77982f5fda6bcbe1ded215aa776fbc329063d5a33f319157b97d69875a93
SHA512359097cdd20bee3debbd7935ce17e03b7db5151357349fa7649fb345254774569a2bb2ff2e6418f07161c05e67cd17837a0aec62b047638f49976bbb8bbd0a6f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5532824b0bd5e09092a08440883cc663a
SHA1a363ea4877c98f98f4261932b35d3e4df79b99bd
SHA2569b6d0b01499de78db95394374450cfc2a443bade564575323287db9056e66fd2
SHA512b8584cc5b1ffab09f9ce6d1c4e6c4c0b21daf8c6e8c1e58606f446f95602c2661263c4314426fd9f3b216c3a597267d0f34349288ece1339e9cb032b5e0eb3bf
-
Filesize
6KB
MD5b03d88bb5f4f4696e0dcce857000e19c
SHA12f116b272d971b5513f68d3e81f2f02f286ff6ce
SHA256274091b734cb570d4aee0a216581371e67b9f70ce68427ac5aedb67782c7bdab
SHA512c5d670bbccd1f0b603e9fd91d09f93818a6e77521ffc3ffdb8092eb7da1b485e00b7fea632a201113d12aabbb6c462b68db0c755d6b88ef28a8f5b68bb8482f8
-
Filesize
6KB
MD56cf6b692f3d4395c427970ee914ca597
SHA1d65c4882668689cc416c09213285e2d7edcb356f
SHA25624f510db1ed683da724344807dce69c10447bd8f64ff27508d55c9ebc20160c2
SHA512f8f665979060a853ef6ca292c7bec565f1b10ddd13ad5d24b8be000cde53e74caf7109aa1e968bb1fed2e237a8d67c3faabc1001277d22db4292b46cb06160e2
-
Filesize
6KB
MD5e5308fe13804cc254023b3a1f1800f0e
SHA1cf7e6ed1dc71852ae58d506238179a5423fec184
SHA2560cc1d8508d09b8129d83aaec864e40e5169053c73d3aab4b471262ec0cb45ad1
SHA512b4e098dc3d68e0fa9c49bb14eec38780826948a5ce911de711e51be5186efac373a38eb1a370b69ae92efd664ba624293de73828ac7d3fe9b1434e145127fff4
-
Filesize
16KB
MD5438fe80d01b3437d093fd2a6fa514b0b
SHA13be5437cc90965e675cd592961b4cbfb7c7ccce4
SHA25654075ccbb86490f65e923c548bab1c4ffe3df80b252a76e4323ff0d6cc72ee8b
SHA512e220e0c31328c3a913e3be5238744e230deae6ec9a56ce081e0716797cd3c3969a30627c6c3608ceec6d5a3ef21ebcb1d4f8b0c49549b266a289bc6dcd13850b
-
Filesize
276KB
MD59eeae8d11d169247b33f3f5a90088ec6
SHA19df03879bb1b8a349b115e93e249bc9ff36050a2
SHA256d8550ec83e3402a8a94a4373c1dc96f495f9ed01e0d9a72df9f7a792cfae0f30
SHA512aea75df2d4176f394f09e09b35f8210250483a24fd3dd6efc88e257e7166b8df3b372355f206604c8a44b0199536b21dcd19b31fd459ba94869223571dbf08c8
-
Filesize
215B
MD5ba51b895474b9c7169566a40941584a8
SHA18fa7f741a43898099f0da5d1ed0bdbc1b1a36692
SHA2566b8ad838e6ed0bb51e26b4ded6fec9c2e383898c3babcda0c632834dcfaeb1ac
SHA5122f3d85228d936e56a83c3af1156df72748bed7887a746dcb4ee1a20ca9d3a4dc89a53f1fb806f483b0b627198eb933dcedb2c5fbb6bb4b58bb681ca9fff803db
-
Filesize
2.2MB
MD54f79bff971f7946a82f46a7e0f19245f
SHA1cd67ff400eecfe4f2eb2e53b384b7d10b3b543b4
SHA256bbb5479f61dc5e00619f2b7a0198eb7077d926b49b4b2aae94604648449bb1e4
SHA51213704bb8990ff1347a037df9d8060ac06468d3d26d5dd09f2f88f4a49e5482f6c6a0380829263cdabc0c296b3cc2ddc621c8574e1e3ed47d5bab735cd7d12f01
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e