Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-02-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
Project/GitMultiLoader.exe
Resource
win11-20231215-en
Behavioral task
behavioral2
Sample
Project/opengl32.dll
Resource
win11-20231222-en
General
-
Target
Project/GitMultiLoader.exe
-
Size
42.7MB
-
MD5
5ec24905f80bb16b8844d440fd4ca921
-
SHA1
079f6782c79d633f3ac1288523d39fd5c6132df9
-
SHA256
eec6302b15fdbf92d7c6204f195246278aa2d7c54ed2eaf51f8298554ac75024
-
SHA512
10e3b37422b3d540f9435712ee94955df759ed1c404e35e708f0b6863ff2f8c4b1ff0fc084df10ffd805a9a9e633bb6110dc82d0d8d8d474439cd8a5b6fbfc55
-
SSDEEP
98304:YfCv+rScGQYPDofAKB1RYQpHd5nKRQGEaTmR3vNUkqh76n7EnVFG8TzIhX724Lks:Y7EsfAeHY0x7nbT9UsMaN6maSl
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 2088 created 2628 2088 RegAsm.exe sihost.exe -
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid process 4908 driver1.exe -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\system32\tpm.msc mmc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver1.exedescription pid process target process PID 4908 set thread context of 2088 4908 driver1.exe RegAsm.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2348 2088 WerFault.exe RegAsm.exe 3180 2088 WerFault.exe RegAsm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522341246862399" chrome.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exeRegAsm.exedialer.exechrome.exepid process 3220 powershell.exe 3220 powershell.exe 2088 RegAsm.exe 2088 RegAsm.exe 1448 dialer.exe 1448 dialer.exe 1448 dialer.exe 1448 dialer.exe 3452 chrome.exe 3452 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exemmc.exechrome.exedescription pid process Token: SeDebugPrivilege 3220 powershell.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: 33 2356 mmc.exe Token: SeIncBasePriorityPrivilege 2356 mmc.exe Token: SeShutdownPrivilege 3452 chrome.exe Token: SeCreatePagefilePrivilege 3452 chrome.exe Token: SeShutdownPrivilege 3452 chrome.exe Token: SeCreatePagefilePrivilege 3452 chrome.exe Token: SeShutdownPrivilege 3452 chrome.exe Token: SeCreatePagefilePrivilege 3452 chrome.exe Token: SeShutdownPrivilege 3452 chrome.exe Token: SeCreatePagefilePrivilege 3452 chrome.exe Token: SeShutdownPrivilege 3452 chrome.exe Token: SeCreatePagefilePrivilege 3452 chrome.exe Token: SeShutdownPrivilege 3452 chrome.exe Token: SeCreatePagefilePrivilege 3452 chrome.exe Token: SeShutdownPrivilege 3452 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe 3452 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mmc.exepid process 2356 mmc.exe 2356 mmc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
GitMultiLoader.exedriver1.exeRegAsm.exechrome.exedescription pid process target process PID 4684 wrote to memory of 3220 4684 GitMultiLoader.exe powershell.exe PID 4684 wrote to memory of 3220 4684 GitMultiLoader.exe powershell.exe PID 4684 wrote to memory of 4908 4684 GitMultiLoader.exe driver1.exe PID 4684 wrote to memory of 4908 4684 GitMultiLoader.exe driver1.exe PID 4684 wrote to memory of 4908 4684 GitMultiLoader.exe driver1.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 4908 wrote to memory of 2088 4908 driver1.exe RegAsm.exe PID 2088 wrote to memory of 1448 2088 RegAsm.exe dialer.exe PID 2088 wrote to memory of 1448 2088 RegAsm.exe dialer.exe PID 2088 wrote to memory of 1448 2088 RegAsm.exe dialer.exe PID 2088 wrote to memory of 1448 2088 RegAsm.exe dialer.exe PID 2088 wrote to memory of 1448 2088 RegAsm.exe dialer.exe PID 3452 wrote to memory of 4752 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 4752 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 2080 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 1608 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 1608 3452 chrome.exe chrome.exe PID 3452 wrote to memory of 4856 3452 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2628
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
C:\Users\Admin\AppData\Local\Temp\Project\GitMultiLoader.exe"C:\Users\Admin\AppData\Local\Temp\Project\GitMultiLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Users\Admin\AppData\Roaming\driver1.exeC:\Users\Admin\AppData\Roaming\driver1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 5324⤵
- Program crash
PID:2348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 5244⤵
- Program crash
PID:3180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2088 -ip 20881⤵PID:4212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2088 -ip 20881⤵PID:3248
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4720
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\tpm.msc"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:1000
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StopMeasure.wmv"1⤵PID:4172
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcdb129758,0x7ffcdb129768,0x7ffcdb1297782⤵PID:4752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:22⤵PID:2080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:82⤵PID:1608
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:12⤵PID:2536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3212 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:12⤵PID:2168
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:82⤵PID:4856
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:12⤵PID:4940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:82⤵PID:3536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:82⤵PID:928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:82⤵PID:3960
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:560
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ac597688,0x7ff6ac597698,0x7ff6ac5976a83⤵PID:3772
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:4736
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ac597688,0x7ff6ac597698,0x7ff6ac5976a83⤵PID:1488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5116 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:12⤵PID:1684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:82⤵PID:3720
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1408
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding1⤵PID:4128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7f9527d5-2ba2-40e8-b811-c5e29c9f8e03.tmp
Filesize6KB
MD54d1bf1c9920c870da408bc3b2a34c94b
SHA177a9ae846996a39a0597f16fd9429839f8ef547b
SHA256b27403e498150355bc44d2dd16f3413a7b5e3f4cc303ff52ead635c496c48808
SHA512db87b660ea15a0aa9818d898ad961c5cbc12179a254dce8227ea7914000e6be0c191e2524080bc476619539b41cd01ed98e8dc3920faac8da858a8bec09dff55
-
Filesize
371B
MD59d46a7315cda3131d804cfb64f933b1d
SHA1d9b0b0738e7c2bf26eddf6bced318bfb31776fe6
SHA256859e5def0a1f4c99060e3a504071edfac9ddf15230bfa1f0a39ed62cace8588c
SHA5121e857e1cc393ab18e327fbfa18ae72b6bd89ed5c92b89d3efe0cc1b9b1eaa4159eb1de828b77a6b675eb733b927c0586f7dcd7ba30410f1a2e64b45b514f3dcc
-
Filesize
6KB
MD55c049df23a8f338bb6046bee1df7e318
SHA1b895d7a1be81b5107416e544070e2464c5a86128
SHA256c8761d840862e0582c4f7f5427c1a865f4b450c64f7d2b6e34948765cc1f56b1
SHA512095bb2f06a19394cca734cad29c1852ea8ff84dfe1c6a212d817af4b3d1e914b9a077e15501c25c3d05380c6ea779dc82fc13e54268cf51b39134c5863c5e04d
-
Filesize
15KB
MD502ec21b1584984fa31b74513c2bf8fab
SHA119818b47527c25dca0252b44710c551b0cf98efa
SHA2561061ead68c5cbb83a7215d643cd91a9bd283b9934aa8c428160c720afcb95c51
SHA512ba876dd6e32fb5e3efa848defc58337184545fa08b725918e8b72e8fed6703c5fa3461411425788e00793c603f6b520d4e32cf6f6b5ed61ea6fa426f41ee1d53
-
Filesize
238KB
MD55826866580fc24a9cb7b072971b2ac48
SHA1609d6b62dad442269837d522ad82f181bc3dd61d
SHA2569762ab50df77c3d46a45b9e223f48040b34ad0134a19c8a374323293e59dcb61
SHA512fc9626169a0b190e18de91cf6e34f933cfe6dfcc23dff6ee2e9bfab6eae3fea75f41954aeb130464b2f5a2a6ca2579dbcdd24d196f08f6e910edf8d1ba663b54
-
Filesize
90KB
MD548afe6012d2a6254b937d8cf449ba2d8
SHA10b32f448ab3d515aac4a7af5c3e77ba6a8ab6202
SHA2567bdf099eabdcca49e8eaf4983a17940b648fdeca8fdc0f9b95f87d6b2c50c683
SHA5125427e91b1de853c7e48af16b21a2c657cdf037810a91332aec1e9f4b8612b22182be1539aee62cde80f218b5470148881797f992cfce17e3d2cee2674fe6dc7b
-
Filesize
89KB
MD51bea01d2388777eed193e5ab78583d8b
SHA166a57d4e1b234f6cab1430d89b62a1eb815cf8c2
SHA256d61d7ba99188c5ce29f62215fda965055968e2e541b065908b72c7766d651695
SHA512b500950974b8db6d467825950a299319bb9e43ec9279aa11ec78f6b0e1b52e43c17fede198a7d5e6b5a76f1e72280efdb85c6ca9dfe776225e1003491e356f37
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
608KB
MD554579c50ad2796b9263f2506e32b8899
SHA109006f17a2d00943f851ca13888f1ed5aa0421ae
SHA256f8014184354ad703efd84671a6591834da69134de97a2b8e8d4cfbfe77695bcc
SHA512d11687e72b91458154f32c5af3a56afcc7071da824fd00b9f0d5b6115f39073f7d6b8ecec9de75ead17e28ae0b80e49866c03c8e0ee95fdef4aeee25818385ee
-
Filesize
40B
MD563f8443149e331271aea55d9053a573b
SHA1af49add37669d931e444efa9d4e9df56f0dde88a
SHA256c81d3499bc16c4e9d45aa56bdcb3d56cde7b07647d1586538f5a2c5f7d84c8a0
SHA512f6da06a6863a41f498f1a7a80ad92b24dca92bf51af1c651f6ab1f260d39151fe3e14b8082ce864891d9fc4e1a1d586e4618de978d18e6c864a1ceaef90b9844
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e