a29e9fb5a99d48dab2afe265b04c4b80dd1bb31311a4082058262972300bc6df

Analysis

max time kernel
25s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rat.bat
Size

142B
MD5

41300534f9c673f8c584acb04a109117
SHA1

4cbf4a4de79a6d74619c4954003468d24521073a
SHA256

a29e9fb5a99d48dab2afe265b04c4b80dd1bb31311a4082058262972300bc6df
SHA512

2a8799c8087e84c9ba8e813cc342af76dff744568fc4ec909e8fe446f294a0e668f3b94598222a9a24f28a4b40df764bdebff466131f252c4e26264c94bfc0cb

Score

5^/10

discovery

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
6788	tasklist.exe
5116	tasklist.exe
5868	tasklist.exe
5064	tasklist.exe
3892	tasklist.exe
1080	tasklist.exe
5248	tasklist.exe
676	tasklist.exe
1088	tasklist.exe
5712	tasklist.exe
6316	tasklist.exe
2816	tasklist.exe
3728	tasklist.exe
6744	tasklist.exe
4696	tasklist.exe
3808	tasklist.exe
5300	tasklist.exe
6112	tasklist.exe
7356	tasklist.exe
7516	tasklist.exe
1696	tasklist.exe
3140	tasklist.exe
2492	tasklist.exe
5948	tasklist.exe
3856	tasklist.exe
3488	tasklist.exe
7756	tasklist.exe
664	tasklist.exe
2912	tasklist.exe
5460	tasklist.exe
6200	tasklist.exe
6988	tasklist.exe
2368	tasklist.exe
7428	tasklist.exe
5228	tasklist.exe
1028	tasklist.exe
6636	tasklist.exe
7828	tasklist.exe
4080	tasklist.exe
912	tasklist.exe
1428	tasklist.exe
6028	tasklist.exe
7068	tasklist.exe
7588	tasklist.exe
5624	tasklist.exe
5644	tasklist.exe
1236	tasklist.exe
4896	tasklist.exe
5468	tasklist.exe
7072	tasklist.exe
6972	tasklist.exe
4816	tasklist.exe
3424	tasklist.exe
5140	tasklist.exe
6888	tasklist.exe
1076	tasklist.exe
2512	tasklist.exe
2492	tasklist.exe
2668	tasklist.exe
2992	tasklist.exe
3724	tasklist.exe
3424	tasklist.exe
2368	tasklist.exe
4256	tasklist.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	4816	tasklist.exe
Token: SeDebugPrivilege	912	tasklist.exe
Token: SeDebugPrivilege	4208	tasklist.exe
Token: SeDebugPrivilege	4444	tasklist.exe
Token: SeDebugPrivilege	5040	tasklist.exe
Token: SeDebugPrivilege	5064	tasklist.exe
Token: SeDebugPrivilege	3640	tasklist.exe
Token: SeDebugPrivilege	2816	tasklist.exe
Token: SeDebugPrivilege	1236	tasklist.exe
Token: SeDebugPrivilege	3856	tasklist.exe
Token: SeDebugPrivilege	2992	tasklist.exe
Token: SeDebugPrivilege	1428	tasklist.exe
Token: SeDebugPrivilege	1088	tasklist.exe
Token: SeDebugPrivilege	3140	tasklist.exe
Token: SeDebugPrivilege	4972	tasklist.exe
Token: SeDebugPrivilege	428	tasklist.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeDebugPrivilege	4696	tasklist.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	3424	tasklist.exe
Token: SeDebugPrivilege	3808	tasklist.exe
Token: SeDebugPrivilege	1500	tasklist.exe
Token: SeDebugPrivilege	4896	tasklist.exe
Token: SeDebugPrivilege	664	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	2368	tasklist.exe
Token: SeDebugPrivilege	3892	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	1076	tasklist.exe
Token: SeDebugPrivilege	3856	tasklist.exe
Token: SeDebugPrivilege	3560	tasklist.exe
Token: SeDebugPrivilege	1080	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	3488	tasklist.exe
Token: SeDebugPrivilege	3724	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1700	3452	cmd.exe	79
PID 3452 wrote to memory of 1700	3452	cmd.exe	79
PID 3452 wrote to memory of 1696	3452	cmd.exe	80
PID 3452 wrote to memory of 1696	3452	cmd.exe	80
PID 3452 wrote to memory of 664	3452	cmd.exe	81
PID 3452 wrote to memory of 664	3452	cmd.exe	81
PID 3452 wrote to memory of 2480	3452	cmd.exe	83
PID 3452 wrote to memory of 2480	3452	cmd.exe	83
PID 3452 wrote to memory of 4816	3452	cmd.exe	84
PID 3452 wrote to memory of 4816	3452	cmd.exe	84
PID 3452 wrote to memory of 2044	3452	cmd.exe	85
PID 3452 wrote to memory of 2044	3452	cmd.exe	85
PID 3452 wrote to memory of 1400	3452	cmd.exe	86
PID 3452 wrote to memory of 1400	3452	cmd.exe	86
PID 3452 wrote to memory of 912	3452	cmd.exe	87
PID 3452 wrote to memory of 912	3452	cmd.exe	87
PID 3452 wrote to memory of 1736	3452	cmd.exe	88
PID 3452 wrote to memory of 1736	3452	cmd.exe	88
PID 3452 wrote to memory of 4952	3452	cmd.exe	89
PID 3452 wrote to memory of 4952	3452	cmd.exe	89
PID 3452 wrote to memory of 4208	3452	cmd.exe	90
PID 3452 wrote to memory of 4208	3452	cmd.exe	90
PID 3452 wrote to memory of 2340	3452	cmd.exe	91
PID 3452 wrote to memory of 2340	3452	cmd.exe	91
PID 3452 wrote to memory of 1788	3452	cmd.exe	92
PID 3452 wrote to memory of 1788	3452	cmd.exe	92
PID 3452 wrote to memory of 4444	3452	cmd.exe	93
PID 3452 wrote to memory of 4444	3452	cmd.exe	93
PID 3452 wrote to memory of 1916	3452	cmd.exe	94
PID 3452 wrote to memory of 1916	3452	cmd.exe	94
PID 3452 wrote to memory of 5080	3452	cmd.exe	95
PID 3452 wrote to memory of 5080	3452	cmd.exe	95
PID 3452 wrote to memory of 5040	3452	cmd.exe	96
PID 3452 wrote to memory of 5040	3452	cmd.exe	96
PID 3452 wrote to memory of 4236	3452	cmd.exe	97
PID 3452 wrote to memory of 4236	3452	cmd.exe	97
PID 3452 wrote to memory of 4184	3452	cmd.exe	98
PID 3452 wrote to memory of 4184	3452	cmd.exe	98
PID 3452 wrote to memory of 5064	3452	cmd.exe	99
PID 3452 wrote to memory of 5064	3452	cmd.exe	99
PID 3452 wrote to memory of 1552	3452	cmd.exe	100
PID 3452 wrote to memory of 1552	3452	cmd.exe	100
PID 3452 wrote to memory of 4916	3452	cmd.exe	101
PID 3452 wrote to memory of 4916	3452	cmd.exe	101
PID 3452 wrote to memory of 3640	3452	cmd.exe	102
PID 3452 wrote to memory of 3640	3452	cmd.exe	102
PID 3452 wrote to memory of 2800	3452	cmd.exe	103
PID 3452 wrote to memory of 2800	3452	cmd.exe	103
PID 3452 wrote to memory of 2436	3452	cmd.exe	104
PID 3452 wrote to memory of 2436	3452	cmd.exe	104
PID 3452 wrote to memory of 2816	3452	cmd.exe	105
PID 3452 wrote to memory of 2816	3452	cmd.exe	105
PID 3452 wrote to memory of 1076	3452	cmd.exe	168
PID 3452 wrote to memory of 1076	3452	cmd.exe	168
PID 3452 wrote to memory of 3360	3452	cmd.exe	107
PID 3452 wrote to memory of 3360	3452	cmd.exe	107
PID 3452 wrote to memory of 1236	3452	cmd.exe	108
PID 3452 wrote to memory of 1236	3452	cmd.exe	108
PID 3452 wrote to memory of 3496	3452	cmd.exe	109
PID 3452 wrote to memory of 3496	3452	cmd.exe	109
PID 3452 wrote to memory of 3016	3452	cmd.exe	110
PID 3452 wrote to memory of 3016	3452	cmd.exe	110
PID 3452 wrote to memory of 3856	3452	cmd.exe	171
PID 3452 wrote to memory of 3856	3452	cmd.exe	171

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1700
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:664
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2480
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2044
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1400
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1736
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4952
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2340
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1788
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1916
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5080
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4236
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4184
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1552
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4916
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2800
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2436
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1076
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3360
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:3496
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3016
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1780
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2448
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2724
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3124
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:3528
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1312
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1080
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4196
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:3632
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2828
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4368
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1688
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:420
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1856
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4804
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4672
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:332
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2680
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4728
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4020
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2268
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2924
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1228
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3748
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1140
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4648
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4624
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:828
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2168
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4900
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5076
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4208
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4076
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2100
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5040
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4100
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2400
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3204
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1440
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1904
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2568
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4188
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:3928
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:648
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1416
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3020
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4972
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2408
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2628
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1752
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2140
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:392
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3424
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:908
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2520
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:5000
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:3696
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3228
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3728
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2052
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4856
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:2004
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5076
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1496
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:1144
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:240
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2400
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:1540
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2700
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2308
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5116
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1072
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2752
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:3140
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1080
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4972
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2512
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4548
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3368
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2492
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2140
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1140
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4080
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:3584
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1040
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:32
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2460
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4908
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:240
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:1440
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:580
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:676
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2976
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1080
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:4888
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4804
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:924
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2492
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4968
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3224
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2368
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2004
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1440
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2668
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5116
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4548
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:4888
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:3324
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5052
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4256
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2460
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2668
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:860
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:4804
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4060
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:4256
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:2004
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5132
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5140
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5148
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5212
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5228
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5236
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5292
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5300
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5308
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5372
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:5380
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5388
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5452
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5460
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5468
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5532
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:5544
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5552
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5616
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5624
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5632
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5696
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5712
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5720
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5776
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:5792
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5800
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5856
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5868
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5876
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5936
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5948
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5960
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6020
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6028
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6036
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6100
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6112
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6120
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4888
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:5180
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5152
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5232
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5248
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5256
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5412
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:5392
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5428
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5496
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5468
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5584
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5628
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:5644
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:5664
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6188
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6200
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6208
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6612
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:6624
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6632
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6736
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6744
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6752
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6816
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:6824
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6832
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6896
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:6904
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6912
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6980
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6988
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6996
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7060
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7068
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7076
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7144
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:7152
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7160
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6220
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6316
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6268
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6320
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:6204
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6224
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6704
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6636
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6628
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6936
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:6972
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6916
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7116
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7072
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7080
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6552
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:6324
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6548
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6248
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6788
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6808
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6864
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6888
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6872
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7092
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:7076
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6204
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6948
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:6972
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:6912
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7260
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:7268
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7280
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7340
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7356
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7364
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7420
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7428
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7436
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7500
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7516
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7524
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7580
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7588
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7600
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7660
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  PID:7668
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7676
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7740
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7756
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7764
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7820
- C:\Windows\system32\tasklist.exe
  tasklist /fi "IMAGENAME eq notepad.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7828
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7836
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:7900
- C:\Windows\system32\find.exe
  find /i "notepad.exe"
  2⤵
  PID:7920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb8f10cc40,0x7ffb8f10cc4c,0x7ffb8f10cc58
  2⤵
  PID:5948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8f10cc40,0x7ffb8f10cc4c,0x7ffb8f10cc58
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:6228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3520,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:6472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:6776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,8182235996777995940,7605877700405176908,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:6904

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:7036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
002032ef86b63e0918832b475a2c3e76

SHA1
a2f6e0542b8bd7a9964a082a8c95ec07abb3630e

SHA256
b2e4d29196b60ef492cfb2468cc2aceb91314e33cfcdc3fdca696c23b453f621

SHA512
43dca9f89fe685499717cf6ee5cc5f0a737be929034027907187c0dca272d6427c600f9e87b4cdd1f2c1b6747ce36388f11a8f9cf61f2c62bbb0ee0be6798097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d7547fe27897589b710ccd1e17bf2f7d

SHA1
f369ad4352120a1a96a1ade1a968e780adaf5474

SHA256
84fd83260d1f465efc2326f03c824fa42490e2948cb03c0335f4232dffffa770

SHA512
46459df7384ad219db35e5203a90a8e4e1c4dce6f779afa122e3265c348671ff8a52967ea2b1b015619055c9b74639af42a0d5e22accee88daa545a3af6cee05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit