guloader | 5361b9b36e63b571fe6440982140dbe25d395cfb645ec404a8d3fd8f31489b2d

Analysis

max time kernel
103s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EO-230807.exe
Size

531KB
MD5

96e7620d6a6a59cefb5cb21e60c4bdee
SHA1

194dc5c849336d95080eeb7498ade2d055319561
SHA256

5361b9b36e63b571fe6440982140dbe25d395cfb645ec404a8d3fd8f31489b2d
SHA512

0277ad5640edf227210d84f6eacaa72f64064e4ca1a37761020269590c28e145bf224ac222fc5bd838e3d58abe415ae40c28f162e70b553dc98a212dcf4bee54
SSDEEP

12288:nDGfx3iNgomHnrVHOvRpZHG3fm9rbzGEC:83R9HMN0onC

Score

10^/10

guloader collection discovery downloader spyware stealer

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
5492	EO-230807.exe
5492	EO-230807.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	EO-230807.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\linievist\unilateralerne.ini	EO-230807.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4832	EO-230807.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5492	EO-230807.exe
4832	EO-230807.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EO-230807.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EO-230807.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4832	EO-230807.exe
4832	EO-230807.exe
4832	EO-230807.exe
1944	chrome.exe
1944	chrome.exe
4320	chrome.exe
4320	chrome.exe
4832	EO-230807.exe
4832	EO-230807.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5492	EO-230807.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	EO-230807.exe
Token: SeDebugPrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5492 wrote to memory of 4832	5492	EO-230807.exe	94
PID 5492 wrote to memory of 4832	5492	EO-230807.exe	94
PID 5492 wrote to memory of 4832	5492	EO-230807.exe	94
PID 5492 wrote to memory of 4832	5492	EO-230807.exe	94
PID 4832 wrote to memory of 1944	4832	EO-230807.exe	100
PID 4832 wrote to memory of 1944	4832	EO-230807.exe	100
PID 1944 wrote to memory of 6208	1944	chrome.exe	101
PID 1944 wrote to memory of 6208	1944	chrome.exe	101
PID 1944 wrote to memory of 4304	1944	chrome.exe	102
PID 1944 wrote to memory of 4304	1944	chrome.exe	102
PID 1944 wrote to memory of 6928	1944	chrome.exe	103
PID 1944 wrote to memory of 6928	1944	chrome.exe	103
PID 1944 wrote to memory of 4320	1944	chrome.exe	104
PID 1944 wrote to memory of 4320	1944	chrome.exe	104
PID 4832 wrote to memory of 4320	4832	EO-230807.exe	104
PID 1944 wrote to memory of 1356	1944	chrome.exe	105
PID 1944 wrote to memory of 1356	1944	chrome.exe	105
PID 4832 wrote to memory of 4320	4832	EO-230807.exe	104
PID 1944 wrote to memory of 2620	1944	chrome.exe	106
PID 1944 wrote to memory of 2620	1944	chrome.exe	106
PID 1944 wrote to memory of 2092	1944	chrome.exe	107
PID 1944 wrote to memory of 2092	1944	chrome.exe	107
PID 1944 wrote to memory of 1728	1944	chrome.exe	108
PID 1944 wrote to memory of 1728	1944	chrome.exe	108
PID 1944 wrote to memory of 636	1944	chrome.exe	109
PID 1944 wrote to memory of 636	1944	chrome.exe	109
PID 1944 wrote to memory of 4016	1944	chrome.exe	110
PID 1944 wrote to memory of 4016	1944	chrome.exe	110
PID 1944 wrote to memory of 6168	1944	chrome.exe	111
PID 1944 wrote to memory of 6168	1944	chrome.exe	111
PID 4320 wrote to memory of 4832	4320	chrome.exe	94
PID 1944 wrote to memory of 4804	1944	chrome.exe	113
PID 1944 wrote to memory of 4804	1944	chrome.exe	113

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EO-230807.exe

C:\Users\Admin\AppData\Local\Temp\EO-230807.exe
"C:\Users\Admin\AppData\Local\Temp\EO-230807.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5492
- C:\Users\Admin\AppData\Local\Temp\EO-230807.exe
  "C:\Users\Admin\AppData\Local\Temp\EO-230807.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-fre --no-default-browser-check --no-first-run --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd3e6dcf8,0x7fffd3e6dd04,0x7fffd3e6dd10
      4⤵
      PID:6208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1876,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:2
      4⤵
      PID:4304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --field-trial-handle=1748,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=1892 /prefetch:3
      4⤵
      PID:6928
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --field-trial-handle=2152,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2844,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=2868 /prefetch:1
      4⤵
      PID:1356
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2880,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:1
      4⤵
      PID:2620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3296,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:2092
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3312,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=3292 /prefetch:2
      4⤵
      PID:1728
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=2800,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
      4⤵
      PID:636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3360,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:2
      4⤵
      PID:4016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3472,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:1
      4⤵
      PID:6168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331" --field-trial-handle=4120,i,3245782623469215517,57532406777234333,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
      4⤵
      PID:4804

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:7096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Crashpad\settings.dat

Filesize
40B

MD5
e47d9758773d462d3734cb4cea91fcf3

SHA1
15de139331c923ea94f7f3c0f25a2e9ac3370018

SHA256
f9bbba076ba14854a593093af9df6fdc190ee8905ba74e0cbdc17d80d231a467

SHA512
09fce9c054683334683bf1344d90fa8188a2db27f90ef37d0921f4545451f58cb023e3c0bcfaf5b736644febbb29eae93e73bdd32d92ab310a88258634885d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
7f8900f7a72b05b9d61f6606acf61bc0

SHA1
b56e90ad3b18c0e3cee6188b8455e6f65f86fead

SHA256
78170b1a1b80b0229ba1b33dacea49a976e9e55701bcd67597da4303a1d20bc5

SHA512
c0fc7cccc16771b2ef665c0542045499a8d6fa8862a3b15d3d05ac54e673425cb9288b301085ce1eafc6ec5d6580739a8c6c2941e3845442209c3c24b715ba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
f0d92918a05c33efd4954513e431fa5c

SHA1
6aaa94d3ad3227cb1ab1d2c0ad3a03925ee4c0f1

SHA256
205a0dce5be055de14b923bf6a31f333fe307c0a0c0ed50d2563e36811c1c475

SHA512
2cf977418d52f6932cadc4bb631c2785d4eaed53e9f77adb13a054ac1542a92e60fbb4f7efd8f156479eef75058fd7d6bde5349d58968e470d764d32fde166a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Cache\Cache_Data\index

Filesize
256KB

MD5
83a4236ad30e8155577e47669d8792dd

SHA1
14a7fb6f38addeac0287322270ece468bb5023df

SHA256
6c36633ed9ea58ce92bc4e8b8394e7bb8de9af7b1aca15f10754a113b32a8c69

SHA512
4643addd92ac4134f264269b13d3ffde593489c4fbb671d8f149b68f41c838f4b724628d711a0ec5cc81c25ad42bc4da4f5296a86d7f32b837d70af67a21718f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Code Cache\js\7018b8cf1c3b00c7_0

Filesize
306B

MD5
724c7c1544ad3cea114591dd06530e53

SHA1
e30085c665352fad6c0b93461f515143d1763334

SHA256
36db4c6b1775bcb8c1badda79ddc145dc49c41b27b9384ef63c571beedab4d9d

SHA512
8294eaf0fd76b5299bc4ba6ca06e57ac0f424ff46f681ae214c1e41d8aa099d19f4f982cd1f39002c72fa4ef137e0a99f1412f21c400671e4dd2599955d777be

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Code Cache\js\ba678a2fbd8c358c_0

Filesize
298B

MD5
5b72af7f244d13c17f1d1f812b8aebba

SHA1
6e2cf1363e29cc7048169e34df2ed57e156d48bd

SHA256
ebd4a5c07cafdaa33d80b8dd4b4ca105b03329459d96b6442909058b8a9a7b75

SHA512
23c9aed08b531118431a7c4e62f655fb4284028b6b6d4f3e1be01d4291954239fdee5fb4b744ad2b214916f29354211fe27da8a6163646912835e15c5f93faf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5294d52b4bdd8fcabc521649a82f570b

SHA1
32cb1060d8f59ffd63b4bc4f23cda75ef231787f

SHA256
90d0638a1c09f524011e7ea3d44e5d9c076e81373bd56be533bc826e329019b0

SHA512
806cd8bc192866564335b2b96b700591f8ab0430944e7ad0bdbfab50dc18047b51adf5cfb8fc38a6d21a8a453cde821f9bfb719dd705f3a5dfb8396413cfef1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
1bd8b809e5f2316c586bebcffd09d96a

SHA1
d6a5cd731a1a5a4f31455e4fe447ed10d98f12c0

SHA256
42aa987c1434a4173e325e1e4285e95bf60363dd5633064ef16045f1a55c1bce

SHA512
db62632a5b2dabf7b483aa389d5d0b7efc0ed013cfeaed212a7631fa1bdff5099065c790fa3574573db588c1e4e3311b067e7d7a4594005de7b6d0e6f9dae254

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Extension Rules\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\GPUCache\index

Filesize
256KB

MD5
68fc3888dee36984b52db191a3e33688

SHA1
b2aa60053174a67efe1ba930eb826c5818f762ce

SHA256
bd02806ec4ba1aa7487ff93bea73813a70a928307e7fada332cb395aab4d7bec

SHA512
6214d33139d0e40a3b00868801561001cf7750252dc1ff47fcf6a5ca7f69fc36f0e7201088714eb92c874005f6a138f9ef5ea2fdc328e7d7a9ae68ea36c21f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\README

Filesize
180B

MD5
883d62acd72005f3ad7a14500d482033

SHA1
e5900fe43fb18083bf6a483b926b9888f29ca018

SHA256
c43668eec4a8d88a5b3a06a84f8846853fe33e54293c2db56899a5a5dfb4d944

SHA512
97bb1bde74057761788436de519765ea4e6ba1ad3a02d082704e8b3efca3ef69d3db6e65b65e5f5f90205e72c164d82779cf754d52ec05d944df49f10d822a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Shared Dictionary\cache\index-dir\the-real-index

Filesize
48B

MD5
dd7f0ea2636f95dc345cad4d3cae8ed6

SHA1
c6734350661c59e08bda3690a2471e80e65fd8c8

SHA256
c8e36499fbc7a4c215adf8e7b1e56ff6ef838f9b0c463569b7c9977b42d96ec0

SHA512
c629096c9c7eea2b38691685cb2f206bc70ced10d297c8965ccebc18cc67e784324d36435c2545c718abe77edd447da28e32346a3a9bf6d76a9b86f263330916

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\GrShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\GrShaderCache\index

Filesize
256KB

MD5
e9f218f73f8fbbd4dd9ff73fabd168e4

SHA1
189c64c2d0bea2f7990ad7267a1d87af3a4d2c3e

SHA256
ee379bedbe384b221e41388fae78c0440abbaa0728a8827740140356bb5255dc

SHA512
b1bc447e4f9dcdf4fc39ee4f27f60e355acc53b7e5759ad3d31dce48a09ad1235d706c57946ab072fe02f1025ad21b45df395ef1f9d8f4dd72c10a112dcb9956

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\GraphiteDawnCache\index

Filesize
256KB

MD5
a91d75dd7cc28d2b3f14c6eaf7239e07

SHA1
5133cdf1b4ca9a2d75d9b3374d2334ae83a47e64

SHA256
70ce0778d6e0facaa5f132ffe3f409b699ddb1c57ed5a9970ebc152ccba577d1

SHA512
7d2760d8db43a69998a947349d671909a370f2c34ed09516baba1e94059c45546903cf78cebb6cbb6505911c28f4747d80fd672d67101174acee3860d2c9134d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbacgpuv.331\Local State

Filesize
1KB

MD5
6999bd3b40d343f398d24e6d540ce08d

SHA1
5077c232242a13ba52da303fde39fe7972ab9e24

SHA256
3ac83d5666ec27ba0d92d6a20697dfcaf8e0084b80a83a96e9f11b61a911a084

SHA512
21f85a9065af6940b3d90134806fecfff4a5cd0a40e91f6ad111ccf1520fc8610abccda38065864e2729edb693e56c50368e1dafa1a505977bc11498fa447a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi690C.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
memory/4320-5193-0x000001B5C2930000-0x000001B5C2A10000-memory.dmp

Filesize
896KB

Download
memory/4832-66-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-48-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-40-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-38-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-36-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-34-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-32-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-30-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-28-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-26-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-56-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-50-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-42-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-25-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-2089-0x0000000036910000-0x000000003693C000-memory.dmp

Filesize
176KB

Download
memory/4832-2090-0x0000000036940000-0x000000003698C000-memory.dmp

Filesize
304KB

Download
memory/4832-2091-0x0000000036BE0000-0x0000000036CC0000-memory.dmp

Filesize
896KB

Download
memory/4832-5117-0x0000000036D60000-0x0000000036DC6000-memory.dmp

Filesize
408KB

Download
memory/4832-5118-0x00000000370B0000-0x0000000037654000-memory.dmp

Filesize
5.6MB

Download
memory/4832-5119-0x0000000036E10000-0x0000000036EA2000-memory.dmp

Filesize
584KB

Download
memory/4832-5120-0x00000000377A0000-0x00000000377B2000-memory.dmp

Filesize
72KB

Download
memory/4832-5121-0x0000000037AE0000-0x0000000037B30000-memory.dmp

Filesize
320KB

Download
memory/4832-46-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-44-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-52-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-54-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-58-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-60-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-63-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-64-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-68-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-70-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-72-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-74-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-76-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-80-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-82-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-84-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-78-0x0000000036650000-0x00000000366E1000-memory.dmp

Filesize
580KB

Download
memory/4832-24-0x0000000036650000-0x00000000366E6000-memory.dmp

Filesize
600KB

Download
memory/4832-22-0x00000000016D0000-0x0000000003C7B000-memory.dmp

Filesize
37.7MB

Download
memory/4832-23-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/4832-21-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/5492-20-0x00000000051F0000-0x000000000779B000-memory.dmp

Filesize
37.7MB

Download
memory/5492-18-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/5492-17-0x0000000077A71000-0x0000000077B91000-memory.dmp

Filesize
1.1MB

Download
memory/5492-16-0x00000000051F0000-0x000000000779B000-memory.dmp

Filesize
37.7MB

Download