Analysis
-
max time kernel
150s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-11-2024 16:24
General
-
Target
RBXIDLE.exe
-
Size
134.1MB
-
MD5
92d241ee2322192f628a7c0ca5c48f48
-
SHA1
60e19cb221c868c750601ecaf88309dcad32d886
-
SHA256
93d3e9ee4cca55a9287418e12eba8929bc471aa37ec213147f7bd8dc0896f98f
-
SHA512
8ff9dd69f699d7d538b12e03564a04d1f31aaabc00cf2895a33bd8edf6e7864f888dd065c74ea6de9376da96a44c566b1b59d328c6e7c9dbc91ff03cfee3e75c
-
SSDEEP
1572864:UUIbvHBgU0Tj91hRhmsMj9ZcZW0SUqDQ:UcUw+AGE
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL 2 IoCs
-
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 24 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=gpu-process --field-trial-handle=1640,9624674439324350722,9068604256172353578,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1660 /prefetch:22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,9624674439324350722,9068604256172353578,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --mojo-platform-channel-handle=2128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1640,9624674439324350722,9068604256172353578,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2392 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --field-trial-handle=1640,9624674439324350722,9068604256172353578,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
- Checks computer location settings
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\33ab0b1f728e03625c5e82ac22e3dd88\execute.bat'" -WindowStyle hidden -Verb runAs"2⤵
- Hide Artifacts: Hidden Window
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\33ab0b1f728e03625c5e82ac22e3dd88\execute.bat'" -WindowStyle hidden -Verb runAs3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\33ab0b1f728e03625c5e82ac22e3dd88\execute.bat"4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass Add-MPPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass Add-MPPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\RBXIDLE5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "explorer https://discord.gg/XB94k6SxWN"2⤵
-
C:\Windows\explorer.exeexplorer https://discord.gg/XB94k6SxWN3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\33ab0b1f728e03625c5e82ac22e3dd88""2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"2⤵
-
C:\Windows\system32\dxdiag.exedxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml3⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"2⤵
-
C:\Windows\system32\dxdiag.exedxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml3⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/XB94k6SxWN2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa0a7846f8,0x7ffa0a784708,0x7ffa0a7847183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4632 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4604 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,133189114959566434,7748046495989102692,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5504 /prefetch:23⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
480B
MD59be9d3a90107785561128f264ca4d6f3
SHA10a95045a925fd3d14ea4ecca0101cd0d739315a5
SHA2565a3aa055103b28030ebbb88715899d97c5a3ac7750d7c8b96c0e08fba4793795
SHA5129356aabaff080bf381cf4329fd98bdd2e525b7682626cfe804353523b763bc46881dc1f201149fcc00b57ca229becd3af967122df90c15fe204f4c497aa09502
-
Filesize
323B
MD5a5a1149047729a493b1a2a65063c39ba
SHA18f1f45cb0c0772dcd05795734cbf408636fb9fb9
SHA256e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006
SHA5128ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e
-
Filesize
5KB
MD5b527fed3984b61bbc0f21902ecf47e29
SHA1ff21beb53ecdae1387e0eb6b71ef987fc692e6a4
SHA2569aed45cc5779cbb4d8687764112d68e64a54f5413da325155b8d5ebc42108550
SHA512c6a1e2e285aad7fdc5393159b874d0d9581a3c5a717be59d0ed481d556c96da13eacf12b08c9e5efb8f9a4e877a3952b49a6556cd9270c01cc9c4f8478ed3ce8
-
Filesize
6KB
MD5511f238f236b8c00ac396d190840c3f1
SHA15ee104377011f593c85f7a58236a04e2dca6a7cc
SHA256ffea60d1a5eddf11c887a0191177bada92f4e4ba27801286c803d1e147bc9b24
SHA512a57b78f8b00019385f0331d5a6423400525ec614d374256284096ff77a3165517dac45180cb863d5083cb3131e7a4c18c12297ef5a9e64263aa05dcdd062db6e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54d50f5c46fd70ec2925fe769c8ce3ba0
SHA1d16bdf1075a5f7bd4b03151088ef39a680beec48
SHA256cf6969ed505501497d40608acac7744376ca4a412da0cb39532647302eb7ece2
SHA512446dd09b6c3f66b8e7591daf649a4b5f2315c635d183ec3d3ebacaa28a16aeb95d8c9b4872bfa78ab397aff46d5c86c6df5433f83ee326f6b283fec4ae2190b9
-
Filesize
2KB
MD57a1e03fe1039bf494d77070f2c583626
SHA1bb6b31d644873fea13cb3c37e6225670b5682c8b
SHA25653bb6e31c2534c61d2bb23c0ef4d9550c1b9361610bd01ef1816a97297147ed2
SHA512e45c36ab8a4ba0c84783b2ddb2c26a9ab66cd5d26f1f0999b1288656288b1f8f33922a92c05641e6dfad03fac708525a1a37815d8ce1088ed0c72217e2f82827
-
Filesize
2KB
MD528c65370f12e84b734af87ad491ea257
SHA1402d3a8203115f1365d48fa72daf0a56e14d8a08
SHA2564ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c
SHA51256eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc
-
Filesize
2KB
MD52f87410b0d834a14ceff69e18946d066
SHA1f2ec80550202d493db61806693439a57b76634f3
SHA2565422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65
SHA512a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4
-
Filesize
2KB
MD52219d11d38283c6540fe67fa7c6ffa9a
SHA16b31e02cc3bac71b2efe040cb9145a9f39cf265c
SHA256c60525f251d08b002da0d783afa2defe40377aa19a7a3f6c5167bce73cdec2ba
SHA5125910c82dec0862520bdeb224b081ab1811b358abb940fff57c9a2f78e804fcf8e3464912bcb1a7ed90a1860f2d9a158b8b9674d905b3a98a2f17af54e3b07343
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
212KB
MD5c2387a887c8665868269dc1ddb6d73b7
SHA1a21ffa918e33972c77bd5d7d0801dae8e0da0b34
SHA2564dc72530341ceb89eb249d04b9d914b7375ef45aa0cb9cc0640e45b69cf8cb2b
SHA512ebbbaf2befd93c74693813c0de8846806d939bc1fbbbff94f20b85d019fa0194891859b8b2ea7e736320dc6b0a789ca443452ac22d8585243de17cd1c07c324c
-
Filesize
298B
MD53d81ad1ad673a10c27c19ff119e7484d
SHA142de481417591da721cdbefe42877a37182e329a
SHA25661e60c609fdebbe73e00ff2b7d0e7a4977fb7cc88b78080e6db61cf8e9a573e8
SHA512954dbd9dcbabd36afe7d15d863df6a951f42a30d2e0f74d7076962a030e33d90399ab06330f697220ac9407a2667d87aa020e5e89744cc0ff76934f6dbf3ff1d
-
Filesize
352B
MD5c8366ac5d29444fed033d45af0642a26
SHA16b7a80473fea77cae49bf7ec0f36cd858b7237c9
SHA256df13ca9d491b3f0f55977c6747c43c35c543f2183a15fc04d8e6e23b6ebcfb6a
SHA512252c888a6bb3c57f6f162395e56fd5f9e557f7f2360ba127925c9ba27b65d2ba7fe3872afc5e1849beb491c5ce31f7d797b0308d07e837e98de5d2bb7b929cd3
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
Filesize
1KB
MD556f65d7404887fac45cde2bfbfeb6274
SHA19209219c7254bad5b875bcaa6243278840b0a74f
SHA2569d47a39f9d5ac3fd942fbcbf227508006471e55c719c08c71f1a96f657452af8
SHA512e1a4bab1e6d9c18c9b50ac44d1854a061600330a3de0d90a8b0389cdd93260c0cc18dc7e421a5fae7ff89177a4bbc4e41da89f7c057b7da18e186cc513395b9e
-
Filesize
191KB
MD57ec7dd493ee9bc5ffc207d58eef582a6
SHA1f00bb96ccff396eaf68b40745f43c130af96ed85
SHA2564f0dfd414666f66c1d93191e0314f86c1ae9e68405486bfe89e473816ecc273c
SHA5124b9d6a8a8e56f377802458a79b8d80131fbbc34aac6debfc8bef05cf346008448aed18571a8e837d359f72dde0283b27ef5de746988fc420b49789f3e4c989ac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
216B
MD520fa73f6cfbd19339e729b4fda45a6cd
SHA11205c27229f205a846cc914e88ab86744349c5ff
SHA256d5486244f69459b54fbd6372ee6aef42c76340b95774a24fc54a03a93370cc04
SHA512454c8388c34cec9d42b5e135b7e6ad3a7deea28cb8ae65f53749684235f8ffbe01580d063a8c377217d2f5193d8f32f4b6ce0d9415f75cc9ebb8547293aa96f8
-
Filesize
48B
MD5c8950ea1a66162e81c81cab24cc2031b
SHA19eedd8b6b450ff85c3a847adf063aa464c27e3ab
SHA2563cefd57a1425d1748980d9d33cf883ad69ba50101ca69344b19ae84dfc7178e2
SHA5120c0957bd346076cc1abda968c506ca08aaad2aaabebf463129d5ffbabced2ffc0d91bb87113dc1efd28c80347cb8143c731d4d07c1bbc5b0af00f815b61dab9b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
4KB
MD59db63dce35e29fe86e54eb0fad284c86
SHA19f2c36e785b9bf6a268a4d02b9f99d75ea17d333
SHA256e19b5fba03558ec569f7fea1d16f39d4f8c41a624088df25f317a144189711da
SHA5129f84946e0a3cb25c4424802da6fd176316b276e40a7a7d1b7d813decb6b742faeea9134984b297c8ab705103fb3a02b9c8e9546b50eec57edb4e0d865677aa56
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
26B
MD52892eee3e20e19a9ba77be6913508a54
SHA17c4ef82faa28393c739c517d706ac6919a8ffc49
SHA2564f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2
SHA512b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae
-
Filesize
90B
MD56fdca5cd48ddd79c6921468c6b822a4d
SHA1931d9954a3927a13d6297e5c92233bb75b1259fd
SHA2569a76bc4e739a133efa183168e1041afad03e6e29afb1f4a3ba8d23596aef11fa
SHA512a3b8f495a945a20577f665ac9e0b13f5265ffb81b34be8ea45429bc8c3de39bb475d26a24e93f53be1795bd695cfff8cb72390b6a75efbdf973ae174482e318a
-
Filesize
165KB
MD5422d609c5e7bdd571da26c52c20b8dd1
SHA172f0e0b571a72f14ca1512ce4b9774011ad77742
SHA25639e160523e82ac69f32636c4ec4f5d0bcfcc2bd65ec8ca8467dbeeac6835f67f
SHA51273b5f0719efe1ec8af69375134c22eec19b7a86738d75ea80cdc611826e90a70614949e4feec826097b99aa52757a7c7841e557e4c20427b87214c0f08d34992
-
Filesize
69KB
MD58713ae4518cf31c5ad24523eeb5b3a53
SHA16d5df40c4e15ad2c39aa9b42731191b706004fa9
SHA25652b81ca1625a75dcee1c1fe8677e4a7fe5474422cff9c9f83b9ef3ccecb8ba7c
SHA512f3c35be3848b3512338f3109aab7ef6c4659db46851a8f8877d0e8639fce9abd643741381ba0cbedb043dfcc6d3b0820129421427b9af21cba0fd476c1dfa18f
-
Filesize
347B
MD54a4712a64f9c8810480711f7fac791e3
SHA1fca5a949329153cf5bdafe982cebd15817648e27
SHA25687962a274a0c1e4d0d186a00e5ee44887a81078d9e0637dcd2566b42d426cdc8
SHA5127818fe4eb40b5b6dca3d2c7e6e5bdf50994ad95f1500553ae2fd8fad35601142621d3bc7b6c4c86f8f3458ce69b4a6d35b3d5f3f723d7bab5f79b624de76c13f
-
Filesize
345B
MD546678851b8badfd65a70604feb02ba0c
SHA1574f675578d6de97d06bbb0590b1c2dee6c03f99
SHA256da7ff07a09d2eb4b212293698f1be4de250d8589543e711ce6271cdd4ce1746a
SHA512ad5a382e41c5bb47d656a13e9c85ccd325993b5b94d3d670f79f37e6d1edd9b975e72fd6eb58999b0d91eaa233546f33c469724c4748e0c050b587102c24459c
-
Filesize
396B
MD53898facc087a66584903c760de05fa34
SHA12a510d5021c5a0f91ff855891a204a3ac813e622
SHA256da62d153a6a03dd735547425e623f44b3c0735f5ce3e9abb1b53aaed269a7d71
SHA512a5874eae6225de3ee1f85e8972022f42be18cd43c43e722b6328d280d4e526fa354f6daad0921c26f62c10c7058b48c5ee008924fcee1a7ef0f12963008cbbd4
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
874B
MD5d061080412f681e964c5241c7685e999
SHA1e1e123df79d6a61b4b5c82bd7ed5ec2b8f421a3d
SHA256880327788dd2eca2bbd1472835edd8d058b6828f4c7f0966b00d731bf0faaf28
SHA51263129732bf519dcb1f64977c38a99b07556042f4618610bd2511a09a13f2237ab18f5853a7a131bcc7e1bf4d13ee974f3f058009356cfd15e3f014cf244d2c96
-
Filesize
872B
MD5e3f92e4aa0f494b8423dc7e191abfd43
SHA1e49661ecf83503836d8a126a199efafc7b5797d7
SHA256ba249adcd9f2c453a1a068fae733be3a1fd37387651094f2cd01a69776fd42b0
SHA512fb4944e10b8cd8596a42183c875c8d738f5588a32aaf166c5493ced11f34cde54c664afe44dd1c447ce69cfea763f1c82ea436ae2ff34ea2a704b0fe4b2806fe
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
136KB
-
Filesize
272KB
-
Filesize
472KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB