Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-01-2025 18:29
Static task
static1
Behavioral task
behavioral1
Sample
cs2go.exe
Resource
win11-20241007-en
General
-
Target
cs2go.exe
-
Size
2.0MB
-
MD5
4847c81a02753c1035b3e79a8336898e
-
SHA1
a44103fc0b941a2e32df4ae5c4ea647627ffeead
-
SHA256
c2d1f2a32a49b9b5432d783c627cb0bfd17fafad4b55a39377e659d032b21d2d
-
SHA512
4276affc21b5c40e184685dd17f52270f607e3b425f8899d078f6340cad6c1606d5c2aae5acf69dc9bec53f6e142a17043fbad8f0bf45d35cf0ddd56e9ea130b
-
SSDEEP
24576:FP5vSkbLNsz7AmAAwjjxVqzMRoR02jdhhUZtkEpKWi:vTbLNS79qjjx4A+/hUXw
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat setup.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133804026067428506" chrome.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3476 chrome.exe 3476 chrome.exe 3540 cs2go.exe 3540 cs2go.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe Token: SeShutdownPrivilege 3476 chrome.exe Token: SeCreatePagefilePrivilege 3476 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe 3476 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3476 wrote to memory of 228 3476 chrome.exe 81 PID 3476 wrote to memory of 228 3476 chrome.exe 81 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3776 3476 chrome.exe 82 PID 3476 wrote to memory of 3580 3476 chrome.exe 83 PID 3476 wrote to memory of 3580 3476 chrome.exe 83 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84 PID 3476 wrote to memory of 3932 3476 chrome.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\cs2go.exe"C:\Users\Admin\AppData\Local\Temp\cs2go.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0923cc40,0x7ffd0923cc4c,0x7ffd0923cc582⤵PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1832 /prefetch:22⤵PID:3776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:32⤵PID:3580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:82⤵PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:2120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:82⤵PID:2224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:82⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Windows directory
PID:2668 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff694cf4698,0x7ff694cf46a4,0x7ff694cf46b03⤵
- Drops file in Windows directory
PID:4292
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4216,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3788 /prefetch:82⤵PID:5020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4348 /prefetch:82⤵PID:2856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:82⤵PID:776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:82⤵PID:4172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5184,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:22⤵PID:3536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4980,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:4812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3788,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:12⤵PID:784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3512,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:82⤵PID:1916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5008,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5048,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5416 /prefetch:82⤵PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5016,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5664 /prefetch:82⤵PID:2452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5324,i,8220192363475817702,7138411086643329223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5656 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1016
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2912
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x000000000000049C 0x00000000000004DC1⤵PID:2328
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5291213c09c6b73e6b68495eacca9d5cc
SHA174e6d5a923e37c66cbed8b5981b25b8e61612a15
SHA256f4d0e96c7a8d52713eaa084c726a949ddf803a96e79f12c723f045ba24013744
SHA5120db05c1b43488d109ac190050a2f4fb3d787d16ae161b5d4d3fd819e2ad9d825d6e66ff211dd5b31753ee959a6e0657b402fc49f02ddd7a923a77a333af03d39
-
Filesize
649B
MD57cb4eb263f9c8a82fdf18ad7408eef99
SHA1280cd23642398b33c693e1bc91a322a677741b99
SHA25632514177ed531a5ced02ce3df46f694f8bb28a9e414a524e855c024bd6f4541b
SHA512b4de0967538b9811a167467c90fca0fafb377ae48ae9f387e09573595f4128b44a17068773bf6cf37f47e61c5a63eeb2b91bdecfd1587e5a5e33744d8911e69e
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
216B
MD5e01061056a456933806f43ff98a90eba
SHA13d33a99ab06ba2ff5582d9500d30622e6fa5f0fd
SHA256b0fabc6a3afe9df3e78cb6cd212ee21872714559ab13f0973225b2a7b1c10796
SHA5129e90daffc34a29eed4f8664242a159db637e610c75db138a2c517a7db0c925a87dfcf34f31b988a1ec0e13bfe25e17e4bc6c79c885aa96b35ca4a918917c20c4
-
Filesize
2KB
MD50fb4317167805d01d4dfb9b3eb1da690
SHA13a06af56ae7c836eb79f7a8c82ef0d7455a7cdc5
SHA2567562e8b27556cf62a6c7651d99aac7529dd3eae43d5d61181067a8d37aaba38e
SHA5128706630ce71f1da5b1dfe162883e5fe9a7558a588eb13456727060b86d212ce198100f06a4865049b79129342866e9abba26181b0f51435d5c08115113fd7c0a
-
Filesize
264KB
MD5475a63bf5bf7bdc69fe1267bac10a62b
SHA10ff36ebb4d20358d94444672c2ca38f9a5f0e311
SHA25625c0949a1230fd5dbde143f8648ee11ce1ff8faddc20d85f0020ea03c3b4bf3c
SHA512fcedc46e54c052caa187153ee9f66d6c29fe6f3ba431bf71c7dcc256ccfc4a6d4933cca98a768bcdbcf85920863a7e6428e301d88e50fa8404bccab45e0e9e1d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2KB
MD532388936760725474028146a9521819e
SHA1f1684471af83e1cb6f55546c6ce3aec753b33670
SHA2563b338060f806e412a6dbf90de1bc8aeb5603e61849a0db63b0aa175594fc3ae2
SHA5127df6fbc5a52a1cad04e012726a769bedb15699fe394461b32f8ccb268f26bb94751388017d46e2c8c5dc421f29c4af85df6aaf2bd8c0b80b8b6efac6c48bc57f
-
Filesize
5KB
MD50a5492945096f7285f8576b4aa35721f
SHA1647d84d190b5fa22159b4386787f26882005d0f5
SHA256e4a16ebb2e6815415606df4b895b3e705e42a07a4c52ebb26ab2880d3fba857e
SHA512b30b4921e95dedc5c325226157cf42cfd0ee7f5d53a6c2f8db97e396c4498d14a945c110e9918fdb7845a60c3b137bbade200b587183693b9ce8955e21c189a8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD51c03677a2c87d7974052a6a041e1eaa4
SHA1641c14c4639a0f9bc3584b67d57c6d5f1ce4fc4b
SHA2568f8217caa83913d100ac0afbb44de7b949b9258104a1e8766969d98c84fa3fca
SHA5121c81c89ecad8760628a693aafb8546fdc3ac0a4669e29925f628b42a4dbd76db2d9eddada15f14aeefe2c6cf0532e70f0d6e2d30a340529b174d0fdb45b40c91
-
Filesize
684B
MD53f53ab4c4f5c8ec0e4f0b3bfeda89451
SHA196e9a2f47467f201ed2349d007afd1a89aa337be
SHA2567e7c6329348ec13e2e91d5eadbb786c120baaf38bf5690efd395979febd658f2
SHA5129680a93e476fb86a410328e98e4e3817ab2ea368558d3f5ee49d7104a40edc2de5a774635813703cf90ab575df3bc5e77f696eef251443e195f3e87d09b2c19d
-
Filesize
684B
MD59f22d483f0c38ba82b886138c3e40f82
SHA1a4672ab7b2f87b0c4281caa264674adac8cb3f93
SHA25620d1f38895edfcbbe2b40b4d284a1f9576fec4eea1ba7cb9e51c2bd025ecefd0
SHA5120b158bf41c8f25a8736a27d708e8dd46eda319f6310e1af257bf96f7ac0eb828a0cfb45039427e0d96ce9d4d941016d9c3b256884c3de90ce36b33c7d3fc0f50
-
Filesize
9KB
MD523019ef21e39c9da0525d366b33d8b17
SHA124d3602eac9554f44460b27f4df94e3d9acf29e6
SHA256ff8991f6f1385f0d7d3d0f13473711bbd12dd701cda4e7933096c3f8d8460f51
SHA512e2b13a4d4b9ed390999f2ae1c56fe0ba6b30c0ec700924322aa7e2e5a9d181bfe15e82e1a171cbd859200fd17416882927277aba409e2bd513bd13282d4a3216
-
Filesize
9KB
MD5c7b04c89af0be1b5600b067f0310de94
SHA1f6cb107198e1f8abbac0bd9bb46173a69be855b8
SHA2568098bccaf590cd8e58d5b180dfa9e09d39f397bdca9001b1bc457ae4f6dfad5f
SHA512f7d5e6b8f9ad09a86ee000a60edca51c8b4f9737bfbab1a107352412495c38eefb0f2fe484ba18826c2cd083ddb6e406a0addc0353e05dbb052aa3d7d7e90543
-
Filesize
9KB
MD53aa3d1eacfec6e90ea74a126e0a7c031
SHA147f57f0e8142f121426829f93c8b6cff19ba1ac8
SHA256eef52b9e8e09c717c13b4a798f5e9acd3609cfc6557c3c987d5ae81ea47758c4
SHA512b18586aba6726b00bc7d9454c71e9fb945355be2f4cef6fcc303a12c0ba76e80473f9f523d09f8fad2d0062791991923d1462e5ccf0d22f84a4ffbd26528dcd4
-
Filesize
10KB
MD53866ae2a0a17cecaa2c9d531709ff9c6
SHA164010f92a5f3fd406c10304c8bbfa0231616e87b
SHA256c5e6980fa61f848cc6b4d1b54ae9c71439c49b6d469834619ba3cf001dd4f449
SHA5129d05065eb1baa625440131b5d17d5dd547a79e81a3b2421694da374a1c14299bef694abdb8a4e3e4f2f2516d710ca286d7304ececd9f3b1e778bd3b21d51e944
-
Filesize
10KB
MD529be362f30b54fe10e6f2cf1ff4cc060
SHA1cb7a375216c573a4284475d46aa8c946f921f232
SHA2566c7ac4980733ac082ac0a2e3c3e2d7dc36c62e728b7b180711665e06ca944350
SHA512be6331baa3004e6214cc8acf7a29294855a33800b9135852ae8c64b39c6cba93bd7eb4c303565d719fe5fbd74197ea62adf519d7c2c0274c171791afe7d2a6e8
-
Filesize
9KB
MD5b9ce785745b4fdd21ae9bd58c51784a0
SHA1effa68bd2d8c25b05409c73329454ab4dc898af6
SHA256bce4265c91ff295f14bc3d9530d559020b2623c3a654b4eb94db9277167f6cbd
SHA5121dfbe6f85b5480c3f24b6271534a60407fa576ce41b2276db7ddafb082589039708efb856cca92c0063be0dbbca539f0a856ced044ab0b0f19c61700cd1426ee
-
Filesize
15KB
MD53f226d3e3d98b23e079eee21acec0c7a
SHA1d103baa1fb2d586b49d57b0254e904e2a28028f6
SHA25693c7f818bb4a02bf979c40071d5e24fbae7cd8e050667e740e4d7e672076a215
SHA5120456d4a87788be5e54ab079a7183357fbdb2f36798a67fe9422a2aa5df49580ae054790c61f5d081b690d469b782acece4887929ed190f5e873cc847cc3652a6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5a95635ec4e897116b77ac04988d728ef
SHA1af75521636e1b987f3a1ce35f9a915d211f95972
SHA2563f3ddb736a9fc251b5b3fd00187c58945d353c569f7696cd9fa5bf46955f3e02
SHA512087ee78818a38a4871c3ef3ed2996f527f1e3275b15089698a66f349203d31409b5594d58a0b4591f2c3280689a8c45a1f5300e3605f06949ad3275f146972b0
-
Filesize
231KB
MD5849b24cc7da40027e4ee07633f2c1d12
SHA1638a3b64772e8857256b632af060a0597691fc8d
SHA256f153ef2ac8f6a57015bb2956300cdd4e1c3d6fdac0dd8c449698fb9aede48c57
SHA512c051ce2f91faf9a77a07c102f85ba8081968275621acee19d7e455315085ed93f6fb5d8fb62c5db3e307e29b2d6b006292401db0470119077511166817b3e981
-
Filesize
231KB
MD537dfaf03f712e15565fc1f7b4a9ee49f
SHA19513cfdcb0f9ac361a93c41c21b727f10aa71638
SHA256d9d08701ca620525a4dea182c03eb18d4cd0be34d072a41989fa1f9cecf0c3d3
SHA512232b92a98c3ba470bd737c8dcf5dde08116586427f200d79e0d67592f607968583817f5757d0af204f70bd2648040429ffb6ba1affc2b78ccd73200c2ac7c983
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
2.3MB
MD51b54b70beef8eb240db31718e8f7eb5d
SHA1da5995070737ec655824c92622333c489eb6bce4
SHA2567d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb
SHA512fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb