Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 12:30
Static task
static1
Behavioral task
behavioral1
Sample
main.ps1
Resource
win11-20240802-en
General
-
Target
main.ps1
-
Size
1KB
-
MD5
3192d090b51a7619bc9efba00478eb83
-
SHA1
cd449bd5957d6f51a4a05150b9ba732bbb38314f
-
SHA256
458d463a638840beb8ba3de4af72fa733373c004b83c32158277027b66dbeba4
-
SHA512
82d8859ffc18525bd80b5c0ec995b31886d3cba31f09f87aca8a986cb4f2f4683b876caedd2a2da133a657f2d7465a51c5cd31f75b6f668e92800efec78bdf37
Malware Config
Signatures
-
Possible privilege escalation attempt 16 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid Process 3292 icacls.exe 2924 takeown.exe 2184 takeown.exe 488 icacls.exe 3236 icacls.exe 2532 takeown.exe 4028 icacls.exe 2960 icacls.exe 1884 takeown.exe 3920 icacls.exe 4344 takeown.exe 2968 takeown.exe 4888 icacls.exe 3940 takeown.exe 4716 takeown.exe 3524 icacls.exe -
Modifies file permissions 1 TTPs 16 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exepid Process 2960 icacls.exe 2924 takeown.exe 3940 takeown.exe 2184 takeown.exe 3524 icacls.exe 488 icacls.exe 3292 icacls.exe 4888 icacls.exe 1884 takeown.exe 3920 icacls.exe 4716 takeown.exe 4028 icacls.exe 2532 takeown.exe 4344 takeown.exe 3236 icacls.exe 2968 takeown.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 5 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\control.exe powershell.exe File opened for modification C:\Windows\System32\msconfig.exe powershell.exe File opened for modification C:\Windows\System32\regedt32.exe powershell.exe File opened for modification C:\Windows\System32\taskmgr.exe powershell.exe File opened for modification C:\Windows\System32\cmd.exe powershell.exe -
Drops file in Windows directory 4 IoCs
Processes:
powershell.exechrome.exedescription ioc Process File opened for modification C:\Windows\explorer.exe powershell.exe File opened for modification C:\Windows\regedit.exe powershell.exe File opened for modification C:\Windows\notepad.exe powershell.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725187202056040" chrome.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
powershell.exechrome.exepid Process 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 132 powershell.exe 2020 chrome.exe 2020 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exechrome.exedescription pid Process Token: SeDebugPrivilege 132 powershell.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe Token: SeCreatePagefilePrivilege 2020 chrome.exe Token: SeShutdownPrivilege 2020 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid Process 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid Process 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe 2020 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
powershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 132 wrote to memory of 2420 132 powershell.exe 79 PID 132 wrote to memory of 2420 132 powershell.exe 79 PID 2420 wrote to memory of 3940 2420 cmd.exe 80 PID 2420 wrote to memory of 3940 2420 cmd.exe 80 PID 132 wrote to memory of 5040 132 powershell.exe 81 PID 132 wrote to memory of 5040 132 powershell.exe 81 PID 5040 wrote to memory of 3920 5040 cmd.exe 82 PID 5040 wrote to memory of 3920 5040 cmd.exe 82 PID 132 wrote to memory of 3832 132 powershell.exe 83 PID 132 wrote to memory of 3832 132 powershell.exe 83 PID 3832 wrote to memory of 2184 3832 cmd.exe 84 PID 3832 wrote to memory of 2184 3832 cmd.exe 84 PID 132 wrote to memory of 3800 132 powershell.exe 85 PID 132 wrote to memory of 3800 132 powershell.exe 85 PID 3800 wrote to memory of 488 3800 cmd.exe 86 PID 3800 wrote to memory of 488 3800 cmd.exe 86 PID 132 wrote to memory of 4572 132 powershell.exe 87 PID 132 wrote to memory of 4572 132 powershell.exe 87 PID 4572 wrote to memory of 4716 4572 cmd.exe 88 PID 4572 wrote to memory of 4716 4572 cmd.exe 88 PID 132 wrote to memory of 2800 132 powershell.exe 89 PID 132 wrote to memory of 2800 132 powershell.exe 89 PID 2800 wrote to memory of 3524 2800 cmd.exe 90 PID 2800 wrote to memory of 3524 2800 cmd.exe 90 PID 132 wrote to memory of 3460 132 powershell.exe 91 PID 132 wrote to memory of 3460 132 powershell.exe 91 PID 3460 wrote to memory of 4344 3460 cmd.exe 92 PID 3460 wrote to memory of 4344 3460 cmd.exe 92 PID 132 wrote to memory of 3120 132 powershell.exe 93 PID 132 wrote to memory of 3120 132 powershell.exe 93 PID 3120 wrote to memory of 3236 3120 cmd.exe 94 PID 3120 wrote to memory of 3236 3120 cmd.exe 94 PID 132 wrote to memory of 3196 132 powershell.exe 95 PID 132 wrote to memory of 3196 132 powershell.exe 95 PID 3196 wrote to memory of 2968 3196 cmd.exe 96 PID 3196 wrote to memory of 2968 3196 cmd.exe 96 PID 132 wrote to memory of 3208 132 powershell.exe 97 PID 132 wrote to memory of 3208 132 powershell.exe 97 PID 3208 wrote to memory of 4028 3208 cmd.exe 98 PID 3208 wrote to memory of 4028 3208 cmd.exe 98 PID 132 wrote to memory of 1824 132 powershell.exe 99 PID 132 wrote to memory of 1824 132 powershell.exe 99 PID 1824 wrote to memory of 2532 1824 cmd.exe 100 PID 1824 wrote to memory of 2532 1824 cmd.exe 100 PID 132 wrote to memory of 2588 132 powershell.exe 101 PID 132 wrote to memory of 2588 132 powershell.exe 101 PID 2588 wrote to memory of 2960 2588 cmd.exe 102 PID 2588 wrote to memory of 2960 2588 cmd.exe 102 PID 132 wrote to memory of 4140 132 powershell.exe 103 PID 132 wrote to memory of 4140 132 powershell.exe 103 PID 4140 wrote to memory of 1884 4140 cmd.exe 104 PID 4140 wrote to memory of 1884 4140 cmd.exe 104 PID 132 wrote to memory of 696 132 powershell.exe 105 PID 132 wrote to memory of 696 132 powershell.exe 105 PID 696 wrote to memory of 3292 696 cmd.exe 106 PID 696 wrote to memory of 3292 696 cmd.exe 106 PID 132 wrote to memory of 3700 132 powershell.exe 107 PID 132 wrote to memory of 3700 132 powershell.exe 107 PID 3700 wrote to memory of 2924 3700 cmd.exe 108 PID 3700 wrote to memory of 2924 3700 cmd.exe 108 PID 132 wrote to memory of 1476 132 powershell.exe 109 PID 132 wrote to memory of 1476 132 powershell.exe 109 PID 1476 wrote to memory of 4888 1476 cmd.exe 110 PID 1476 wrote to memory of 4888 1476 cmd.exe 110
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:132 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\explorer.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\explorer.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3940
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\explorer.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\explorer.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3920
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2184
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:488
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4716
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3524
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\regedit.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\regedit.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4344
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\regedit.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\regedit.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3236
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\notepad.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\notepad.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2968
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\notepad.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\notepad.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4028
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\control.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\control.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2532
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\control.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\control.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2960
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1884
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3292
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2924
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4888
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde544cc40,0x7ffde544cc4c,0x7ffde544cc582⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:22⤵PID:4532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2140 /prefetch:32⤵PID:2712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:82⤵PID:1900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:3324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:12⤵PID:2584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4628 /prefetch:82⤵PID:5084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4736 /prefetch:82⤵PID:1736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4296,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4696 /prefetch:82⤵PID:3100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4932 /prefetch:82⤵PID:2032
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD55db14c1fc67fb5ac9211934781689e5b
SHA1930c258efa74d7ae5d7c11d9ca4b6912c7dc59eb
SHA2562682fdefeeb94036b974a902a4d086c577052098a35c474aa266c8f08da8ae26
SHA51211d41e69782cea08a319d10bee874a823561dcdd0332650d15de5bb08be3592f44f6e00ec935beeb05ab46cd06f8b54f50da804fb0db7968db907f624878300a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD505275f90b6cd8b556aaaabb5792ef96e
SHA1642cd019dd079ee20da2ecd051afb6afa717477d
SHA256d8a71dd99f97db3dc40bc5ccb7876d3d6e29e34e7d1e6f562a15efa003977e61
SHA51200cd0e4b818e1d15bf7ae3a5a9f66436e9fd52b9519f7a94fcb19ad06987a8fa4a5d31091304217675cbe2ae1749d266ac8e6bb8f475df3393c98be80d9cc9d4
-
Filesize
9KB
MD5c37b36ab957873b94c92890b6b0e1566
SHA16d52b6ecb29b66de51345bcd30d3767158ded1ce
SHA256f3ffc6d2b85cce6204fcbc182473fd6e1da2e931e135bd6907fc12f26366cedf
SHA5121cc15c7025bf39dd2d684b8b29a7672db2b9c7fec5dc106f0186bb8123d0baa3b9a5ada5eb4a35bb84f1c635df013bd38cbc02235f5762ff5e6f49dce3b90d5c
-
Filesize
9KB
MD53de7988e0053c68c55a8daa0e2852277
SHA1e8476905a299b0a1a18ce12681b60719899bf530
SHA2569edb897ecbf50402d0692bca92f228d7116e1696bc2dd7a168e5dcb84e2ae56f
SHA5128dc4d19e3ff558b4bbffc876514a668846ae5a9c1cca25b7c8941a119baefb8bc6d06588037e938c07115dfefb3ba80ddf453f6e6ef1f508213e4cb5123ec063
-
Filesize
9KB
MD5f1493fb1709cfd984de10bec1186910b
SHA15f40b414d625f8bf572b478854bab2aef2915b8a
SHA25611fe7ecba873905fb4c8c93ad7a12d0ea9fdb9662aa430a0d42be6ecbf81c5c6
SHA5126cc80207967a78fa99f113625cce48a809cf553682d3bb09c381a4888c119d189bf5ca54b4fecdd4ff9dd3f5c5d6d9be2ad3e59b382d08bf1702d59192b44476
-
Filesize
9KB
MD5000f684ee1bb1b68bd240a513d2bac95
SHA160e1ce4741fa9d6284d15d11bcfe790f2e220409
SHA256bf03d5133ac85ab85bae4d3849f3f1f7d10e32d98acaecc73c1fb51d66baeec7
SHA51266014ca426ce617594c7b3ec5933a26d9feea4ead1bdc2ff300ce1b3697fc52d8c8c39e79121de02a45cfffe6aa05128534dde8c7acfb3a4b66fe63b42d82891
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f7bc6773-0c24-41aa-8972-a8420771d3a3.tmp
Filesize15KB
MD5c922028acbe867154c1556ac9566dff1
SHA168be73aa2bcf4337e2e6ca0c59724369988526e7
SHA256c36a49235d8c2c947bb509e32d89810db3d0f7a2a68e9d154b3972ddbf4aedf0
SHA51222aa8656d05e1400ad8eb0851abed4dad83dc0a9562028d941ab9fa53d14fedeacb22ed7ef43d1f2b747e86b9707a721f43e0e7c15b04367ab91a2c47ca2ad7e
-
Filesize
211KB
MD51ec2e7fbad8cfce7ea4a466c502ca56b
SHA1e5edfdb66545ae4e13b28256d95e6091768ed4e1
SHA2568db5fd231f56dceb35aa74ba701f12e3918b6c460ab68c5d4eeec9b7223a92ac
SHA512356f535f80fa2127297474f59475ba032dc8014342ee4ad4379633142a553884ec4395e3feb948ffdb5b7047baaf67d1449cf76f7afec39a6191c88926aefc59
-
Filesize
211KB
MD5b5a5c41131159f30eb7e0109646183ab
SHA1dcdfb628a165161ebb8faed7c72b4ea0d077df31
SHA256081af51d0a91cd96579aeb1e507806d64e44a999d6e4eb9100d17ec266797efa
SHA51279a173e0d0058b1a13933e02e63b3d1c73561a9072081d8b85e8e6469b3542bfeb1d1504e3cc4fb99c7216408d47427a942b825ee15600abbaa2ebf46405e5d9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82