Resubmissions
16/04/2025, 14:21
250416-rpa9kawnt9 10Analysis
-
max time kernel
231s -
max time network
233s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
-
submitted
16/04/2025, 14:21
General
-
Target
VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
-
Size
64KB
-
MD5
4aa5734fe9c86184f931f4ddaf2d4d7b
-
SHA1
a066ccad76f3c63d053cd68ac8692d4f4acf82ac
-
SHA256
2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa
-
SHA512
7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c
-
SSDEEP
384:rdP9JIA7uJ1wK2xBpHbVbl+NGYD90pSCfZziEKffhaekBfdReVwoGHdRsArr2rOR:R9JIqNl/SSrrpBfiIdRsorZucnjtsq
Score
10/10
Malware Config
Extracted
Family
guloader
C2
https://eficadgdl.com/well/Omitted-Credentials_encrypted_6A17930.bin
xor.base64
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 17 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
-
Suspicious use of SetThreadContext 17 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 27 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe1⤵
-
C:\Users\Admin\TROFFE\erythroph.exeC:\Users\Admin\TROFFE\erythroph.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Users\Admin\TROFFE\erythroph.exe3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 10924⤵
- Program crash
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\TestGet.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc9c1dcf8,0x7ffcc9c1dd04,0x7ffcc9c1dd102⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1904,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=1900 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1480,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2244 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2372 /prefetch:132⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4196,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4220 /prefetch:92⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4724 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5300,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5324 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5408 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5468,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5640 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3276 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3080,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3608 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3272,i,9660622547756604030,11828065322054811154,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3804 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD56d04b737dfd729ae8afa22dd672c5628
SHA1f3be4a667d413a387adfcb6996c6107337e7c324
SHA25667956edf53b5fcfcc7f017eac36b79726e25ca5f36bc97fea396d1e7bcad8918
SHA512d5371c4751aba9aa1905d69308b14f1d1f40abfee5d52b4f67466fc1685fbdf0103109c0a2f33242ac34e0725b7efd346706b043d67d7c6dd0187403ad917845
-
Filesize
414B
MD568040e8620b8ecd3f780bc667aa8471b
SHA13c6d3a422f7eda7560ec8701e7061996ae577e0f
SHA256d0f538a36bc8bed577922f47723e4b3ff95d1d5baaf3226d0e889b6d2af0023a
SHA5124838e490ddb324633265260481ae761a8d7755c93dee40c3400c78a712a5330c8819074366075beb0137dd9b20acb22a74270489e0b5608898152f797e3813e8
-
Filesize
2KB
MD53e60ea92b944845a1891f1a23cafcc8d
SHA17d7226393942130f6775eb42c449cf95be11af94
SHA256ab211943771bffe9a5fc75305daebb4a66bbd3296a0d159cd25a44696c0d9db1
SHA51235972c6cacfa22decc738038e6f597f4e3d94a63abbcc4384a83dda3d4792ac8b67f395b437db66f97717dd7a2fef6a6245d9f433462761d4f34af5680fe6085
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
10KB
MD5e4ed0a866f70722eef4d9e8641e817d8
SHA1a95c4a81c7190805386306fa69629e5b785cf509
SHA256a97e9a85ae36ef18391722ad8cad003baac09e58f3e1f105dccae53fa4898049
SHA51297fc00b7a653c1e920bbad5e56711dc1912bc3dd7fa9f5e56964e169482f802df36e2ceede5219a863556b127463941b7b0a081b7218e4e44b0ae1c55a4f4d4f
-
Filesize
15KB
MD51f392154188ee1180199aaf97e3bbf8c
SHA1cffa5711362f8e60070608013d157bbadcc5a99d
SHA256b985301d135bb87de684c06043a5959e7e33e77197fafe0984d9d0ce4e1f86bd
SHA512a798cf8030b206e689ccc95ebecdce7dcf7c66a4af4bba19c177926f43efb61b52b67cb22ed55c8265d0fea2a77b13ecd28c6f181abd94722a61648f50e62865
-
Filesize
72B
MD56d41f92fdf7bcc42f306f9ad89f28927
SHA1971ff68abfc0ae3dbadbdb35b7a23dac0c990a4c
SHA256f7bdbc4f6f467315482a3bf1ccf5751ffcb00c8ffd3af6a086b683dd0bf88b3f
SHA512d40ef5129d2390f7c5f9ed3623de8eeb4114b1e8321cb77fe1a077b7d2526e41f6d4f17de11bffb2dd91c7090c430abe41494445c0a6d988c289957d2ead0ac5
-
Filesize
48B
MD5159f011733ec4fbf169fd0614108a5f6
SHA1efa84ea262c53103bb647d5f9db9951d1d2f1b10
SHA256ba0161292b4b26ec641ccce21f802668ca8200e18a24dbd4a9d1456905f18c77
SHA51293f1666db8d4cbb6258ca94ced1492312006b7274f881dc56efeaed701c6ff3475733cbd76551de265f24800da2dae7533d83df3e042d3d991cc0964252d603b
-
Filesize
152KB
MD5da1a236a3c2368a68652d79b441868af
SHA1e2da91a008d606f068531df365762198b3bda412
SHA256caa6f71c05ec956c86d284affe2628e85117ebfcd5df4636f5b647f5ad87c122
SHA5121f0439fb62c732315174770dd373a023d9a590a5a5364c0242b49d2b75d25143f763fd1a689d740d2ca7ca74a786e43ac9996e9eef0339122d0cb228660ec2fe
-
Filesize
78KB
MD58a6be326dcffb617519d73869d8f9ccd
SHA10cf1d47ea1d8c59f8787a42cc9407929050d476b
SHA2564adb3dff6b691b1de563e7326adf077aca0a3f8eb523dc11e7054dd778361fe2
SHA512c1b2d2cb6a680c651179b4ac9476da4d2a0df193a3a8c3bc4d7fe2d4e76cd49eca9decc2a98469631d0be512a083cb6f423d7fac9360a0ce1b5756a03e3f948c
-
Filesize
151KB
MD5271156b48bddafd93d5bf4ccca0acdf3
SHA1a62351a7a9a157c08eee920b27113ee0f1765c08
SHA2567ca67281593182b3c92a281635d620ae415d048801797535ab9b0bd9dab8f5d1
SHA512682533ed3cf944ec6b0ff781b5adc6cb3f9f0a25a2473db0665ad8387199f644b99011a0dbf2ec26a247220f87fc3a0749682a1ae52fd08ac47561e6e85cae5b
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
258B
MD50fce563db74c47ed74567b071649b51a
SHA1701f39abaff131f204cbd162dbac61e3ed7eaed7
SHA256694403e2972d40ffe93192ad6d7948e7e40e642fad8bf4400c56638a0cf8e9f3
SHA51206ae6076346984592486e53d0d685199d5b927734b7fc60061c6b4359b688710a59abc41bf4e483756ff840c38aac9830384db5d6e5a3000056d54fe615abb8f
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
64KB
MD54aa5734fe9c86184f931f4ddaf2d4d7b
SHA1a066ccad76f3c63d053cd68ac8692d4f4acf82ac
SHA2562e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa
SHA5127355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
1.2MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.5MB
-
Filesize
2.0MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.5MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB