Analysis
-
max time kernel
145s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
24-09-2024 11:52
General
-
Target
Remcos Professional Cracked By Alcatraz3222.exe
-
Size
17.7MB
-
MD5
efc159c7cf75545997f8c6af52d3e802
-
SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1
-
SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
-
SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d
-
SSDEEP
393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx
Malware Config
Extracted
njrat
0.7d
HacKed
dllsys.duckdns.org:3202
3b570ffeeb3d34249b9a5ce0ee58a328
-
reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
-
splitter
svchost
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85a2dcb2-4583-4da6-83a2-233fe9bc1b73} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4c7dc89-ce58-47a5-bb4d-2b100ae50f99} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 2800 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b3ef55a-681c-4cd1-af0c-a8afca45bb65} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3624 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce86e32d-5172-40bd-9bc5-a04cd6a56124} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3624 -prefMapHandle 4356 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dcf2384-0a22-4aa3-bda8-22691446824b} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5224 -childID 3 -isForBrowser -prefsHandle 5216 -prefMapHandle 5212 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9d9d177-a8e0-4720-b470-4fce59f5d5bf} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e382fbb-7e80-4897-b305-7819958f7ab8} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5488 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {717119b5-acb9-47c1-ae16-c27983a324a0} 3256 "\\.\pipe\gecko-crash-server-pipe.3256" tab3⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd7454cc40,0x7ffd7454cc4c,0x7ffd7454cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2360,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2356 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2400 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1992,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2592 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3140 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3176 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4532 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3684,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4976 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7177d4698,0x7ff7177d46a4,0x7ff7177d46b03⤵
- Drops file in Program Files directory
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4820,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4812 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5196,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4904 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3312,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3876,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4620,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4560 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4516,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4632 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5348,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4656 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4528,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5344 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5264,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5404,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5500 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4564,i,9901959333297467785,13790733652223294314,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4612 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5761f1a7ce1ae738465c58c5a99b15f4e
SHA11189bd5c7cad90a03f867dceb9c75f054e029e7a
SHA256648a277c0e80e4dd1872fa6779b812267e51ea0c48fd4b471cb9ec8c9625f52f
SHA5123a0f03887993411eddc71d40182799ed4de678aa48cffc843105883de6513535b6caff62ac67540886e85c55d8291cf495e7857b0bfac0502094007e661fbc87
-
Filesize
649B
MD5690e0bf9d5b9e5424a151fe896604474
SHA1d79cc7b6dea102706ac76858b6593661ae03d1fc
SHA25643b6ee01262f06d229a9774747022c40cf192db37faad8e3178234344aa3c4c9
SHA5124805b3c028af9c86746b86ee332d8df313dd882c31ae77c6f1500804e95a52040c60b681255b36b8950fd9e3b11b7244daa6e280bccaf68607ce1381e3dd59b2
-
Filesize
843B
MD5581a390013b962d3ff19e18cf8ffa581
SHA15a8ad7b50ca85185fac23b0324a7ebbc0051bea4
SHA25624d32e92f37384d107e37dc34970944b86294ccae0c7073403b42efd3e3d0444
SHA51275e5c478afccd077e683d37fb3e75cbec9d58b939b2e90829d89282f757a890857e722acbda5d8ed91b1594daa33fa760562279f03cb37645026da0b9949ef19
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5681ec1bbb4b65f990244bfe279d8ba7a
SHA1efbc12415bc4d8ca2ef6d956310edd1ecfb72398
SHA256aef0661ef997c365ec60e42be69cc3c6c1cacf835eb3b7564a78dfa50c496a82
SHA51279cbb293af84c437f84756ffc4b86203a12e61e5a7f994fb3d8284f1f8fbc1d4c9081efab93d8bb520641d87d805ab3251bbbe3ee5409f8e103818b2dba0f167
-
Filesize
9KB
MD529a59c3877d525b7065fa9d0af0308d4
SHA127dc1085ceae50c992058351d6c1ba6d77bc5c45
SHA2569bf19d44a86c30477a1727b01428ec5e273efdf8a5182708fdc9be628c7634aa
SHA5120af44418348e0ac5be000c0483bc16fa90cf84725cb1e2b7ca775274d34a7528415d8d247bc9f85395c843c9944cbc46d2daedfc2d66ed72e743515fb4981880
-
Filesize
9KB
MD5a29568ff725b18e6e272ba2ec87d04bf
SHA17f57d5fce370c70c6a82fba703d7b8870010ebc2
SHA25629be12c45e4562589ee93878b732419f79debf2fe88f2949bb4fe9f97273533b
SHA512e96751aa98b7598713bec7ce6e44771f4695a143678857ebf8d223cade069af21b67f5b676eb3d1bd2748772555bc6f59688494fee50cae469d59736c33cb8c1
-
Filesize
9KB
MD5b7672d240056bceb6b5238dddbe8ea16
SHA1ca2fb8be062a6424b0f0a59bf46be5d9c2049f28
SHA25655b1e3a318bcc35f1ec7586e96033d3f3da614deda00636292f765f5a77a86cb
SHA512c9eb449f813a2049db3fee7e179e0ed117f5862d19384e987bf1e347323deccaa702924d4299b0f49b7bc526e38a5a9549ca973c721b42c2f2effb7d009124b1
-
Filesize
99KB
MD5804a1f0d368dda93926aac7c8d3d9810
SHA14665a184b2c15f22f61233803de2ca2f0da99f04
SHA25640681dd1d2c6714edfc06116bd6e6865d2edfd05b648e3ce5f2bd7cb1174aaf0
SHA512da3f00e5f3937d33fc5db387a81b96693677c935ad4259b1610e11fd8819f1befb4d23eb358694bba82216d8bacc68dfc82f7e3ad5d65b8b6697e15f830b85d0
-
Filesize
99KB
MD58b71de4a88ec9aca35017f85e9eb1af1
SHA126c0642b2cfb5618d522930c3db429827dbc317f
SHA2568ebb869fe5e8d1d61cb87379b80e6abe5f04edfe6125cdae37eddceb5363152d
SHA5126074780f56ee18c6ad24c193531fa00c5a1c0ec8c4dc6e5022a5c2f2d4d9b07a58ff2379e9eba74b6df05b8beeb44b74851ed0e8c1be9823d6ef5323f40c8ff6
-
Filesize
264KB
MD5bb78d2b51b00fdd01a980f5c6ed35074
SHA14e417dd4f9a159aefbfb3e3b9fd9725bf2df2085
SHA256e044dd624fe141853c882bc9e229914b8065d13ef2dbb262bc711f54bd33574a
SHA5127430aebbdf8a80d1cbed435e93dcf8d25ce435482483fa4a5e97af0a45420199f75942e08edbf4b34f8ef7e1ccad6379a0411041b9a15aa818e14f7859586088
-
Filesize
99KB
MD5e9a650d07a8f2f73fcf4335f8db1cf93
SHA1e9ed95fd4d266710cafb924b641da9b3fb9360ad
SHA256c37fed96d4664707d05708dce51e05f60ba56090d10374d5ee6840b5959bda09
SHA512b80cd12a0f86b38f20143f67fc1411a6591f302a97d38f6cdb6180ae113ee7194188c1e3acd63e0e55b655a2a9953585dd6f4d581a51a09d1c6de56189a7050e
-
Filesize
522B
MD50f39d6b9afc039d81ff31f65cbf76826
SHA18356d04fe7bba2695d59b6caf5c59f58f3e1a6d8
SHA256ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d
SHA5125bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9
-
Filesize
418B
MD550045c5c59ae3eb2db5452fb39e13335
SHA156226b40d4458df7e92f802381401e4183c97cb2
SHA256b90b2a4ba2c69f094edce48807ad1873b1265c83795139fbf4576697fe65cae9
SHA512bb20f9389e69e4a17fa254bd3b77212797f3be159ec6129b3a1501db3e24fb7b12096fbdbfcc93c24ecdb3cea88eae8a58e279b39c0777b6a4e9d4c15057faa4
-
Filesize
24KB
MD550895e25524d7d22640393cf8e1bf15b
SHA189ef7bb119d1a4976fcaede10cd010ff920fa5a4
SHA256fb3d4bf314906c391862f13e36cf37526a11d575722994a8824990a197b11183
SHA5123cc73c3245496c83617822ac61281e9a0a1094c014309f1e2fba7219d16a0f66b5b7e646cdbdc42ea5d9295905d72a28bcd6166f828d5aff51600b0a263356b2
-
Filesize
73B
MD51a32b94bd8d51df35d766b6affdfacfc
SHA1b35ba7f44b350dd9e86c74acfc722ee7373b77ee
SHA2563d464700f406245d63409c36aae1504dd9fb63c784cbf7ae8957052068213937
SHA5129f31cb9b0972efab2ba566acd10e0355acb316b49a8cdb5c3b0787cba9f97670ea592e385182fe143f54a2effb565c1f78083223bc4600cd961bbffc8f01d3bd
-
Filesize
17.7MB
MD5efc159c7cf75545997f8c6af52d3e802
SHA1b85bd368c91a13db1c5de2326deb25ad666c24c1
SHA256898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
SHA512d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d
-
Filesize
229B
MD5c705d9d9732e434b429505ac8405154a
SHA19d7e3903a2c2ed2ae118982c2ef2bdc9a2c7f85c
SHA256461ca01730541f5405a76bce0a9d7b2314f8104eb0402104f1e80439c3ab4091
SHA512d511a1d264f75e7f9ce0efc7e6fd4ebeefd2e90858b4dbba80b25831f8ef51af95b4b1434fc5a558e8564d6aacd89a7f961eae05572e81feacee8898a4dc5416
-
Filesize
1KB
MD5f6048f244b89ab4aded29b62745316a1
SHA1d9ec032c108c11f9b6af1c10a9fb4a8c08007fcf
SHA2561fbf31c554840de286112fb4e11b74aaafab363a07f269764648a2a6852e314a
SHA512506fcf8c4ecac1063d820781a416c604ab674e31a82fca1c4bd5b66374822b0c9a6b6c889d037323a453728e476395104299b18417b83d8bb420c0b7e82001cc
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
5KB
MD5d129d7941fddc21bc4b1ef795d6812c4
SHA1e79bc8e3a9d39eac007dac7150c354b2ea2a4e37
SHA25682de7e5bc7842ba4844dcb87f500b450456f7c34c61119d36a683b9d499c3e7c
SHA512e807a97cf6cd48969138f62672695349e7780d61f459d2eb70a762412bfec68487ba229be24e62208fc54c974a5b0470d4fb29e82b479c0efbb37f850f652832
-
Filesize
982B
MD57a5a0a7a342049416b30fc538bfe2b04
SHA168c26829b7443a7ddd00fce5255bcc19bd6b6f21
SHA256c87f1268b5aa702464b1a28c0741b3851148ba19bf123fbbb27e3085b093bf87
SHA5125d8935d7391645030ab09235f8dbdbb2dc5d0c02b6bc1f0854bb76954fb4bd01322b9a6b9794806a6be0d36cf0de59485ba127c14f7bdefe70607fec8d4f36df
-
Filesize
671B
MD5a742410179097a6f01356355e172a740
SHA1be8a9977cee5781d556c93b920c3b271e9f3f66d
SHA2566857e3bd74f2637767ad72c9c501ea0e867772f307b9ce82e59a686737e22068
SHA51242479a993a02c6b6b2f3d695cf8e590e2f57bf1a1645bb65327b92efa4053361390deb7a833236aea8dc3af14448d761946adfd4bd7336710b987f3051b2d5e3
-
Filesize
27KB
MD553cff4558cd5c37e01210b289c71f052
SHA105267846653d3dd70b160d1a410ede09d1081612
SHA2567b87b7241da6d837ea5a9cb0ebcc008c578b95d0c92448852eb7ef17d7280e97
SHA51263cc96f17aff9a8ad67f2dbd9880801ae3b66f108a4b6ee3b76e8d362464fee6d5b48295e09cab34fb5cacb03da9d043680805b88a3f25fb1720421ff8293463
-
Filesize
11KB
MD55e0d8edb7ea9f2bf005e0d7724313c6a
SHA17840773c43c8c819a023c33933b4242fb1e5a7bb
SHA25696e821e74d1bbbf5efd13491d1feed111bd9a107099975e0cfe8bfc2bb6d0264
SHA512071f3eab798349f96bd78ecbe939abb7a4181b98f2811fcd7c697ef102e138189fa5a9be28cd0bf306bac8f6eb4695f7c9de698ecea8f64e85c7291b4a47f0a5
-
Filesize
11KB
MD52102290f375bdabc73e0c8870e535014
SHA1c71d9e11bf2395fada32d0857650c5fa8c8e09d2
SHA256a0771a1c23fefd67c02d7a4638fce2063960f172523fd85632ab0bce06ada46a
SHA51247db5e43d6953e9f8309b0ca376261ed09eca3128c7cc410603044b2cf63dbf3101b6abd7741ec958587fa920f1cd49833a2fbfa2fda7a8f76481257076b7d1f
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
17.5MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
17.7MB